Pteranodon is a custom backdoor used byGamaredon Group.[1]
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol:Web Protocols | Pteranodon can use HTTP for C2.[1] |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder | Pteranodon copies itself to the Startup folder to establish persistence.[1] |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter:Windows Command Shell | Pteranodon can use |
| .005 | Command and Scripting Interpreter:Visual Basic | Pteranodon can use a malicious VBS file for execution.[2] | ||
| Enterprise | T1074 | .001 | Data Staged:Local Data Staging | Pteranodon creates various subdirectories under |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Pteranodon can decrypt encrypted data strings prior to using them.[4] | |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Pteranodon exfiltrates screenshot files to its C2 server.[1] | |
| Enterprise | T1083 | File and Directory Discovery | Pteranodon identifies files matching certain file extension and copies them to subdirectories it created.[1] | |
| Enterprise | T1070 | .004 | Indicator Removal:File Deletion | Pteranodon can delete files that may interfere with it executing. It also can delete temporary files and itself after the initial script executes.[1] |
| Enterprise | T1105 | Ingress Tool Transfer | Pteranodon can download and execute additional files.[1][2][5] | |
| Enterprise | T1106 | Native API | Pteranodon has used various API calls.[4] | |
| Enterprise | T1027 | .007 | Obfuscated Files or Information:Dynamic API Resolution | Pteranodon can use a dynamic Windows hashing algorithm to map API components.[4] |
| Enterprise | T1053 | .005 | Scheduled Task/Job:Scheduled Task | Pteranodon schedules tasks to invoke its components in order to establish persistence.[1][2] |
| Enterprise | T1113 | Screen Capture | Pteranodon can capture screenshots at a configurable interval.[1][5] | |
| Enterprise | T1218 | .005 | System Binary Proxy Execution:Mshta | Pteranodon can use mshta.exe to execute an HTA file hosted on a remote server.[2] |
| .011 | System Binary Proxy Execution:Rundll32 | Pteranodon executes functions using rundll32.exe.[1] | ||
| Enterprise | T1497 | Virtualization/Sandbox Evasion | Pteranodon has the ability to use anti-detection functions to identify sandbox environments.[5] | |