AuTo Stealer
AuTo Stealer is malware written in C++ has been used bySideCopy since at least December 2021 to target government agencies and personnel in India and Afghanistan.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol:Web Protocols | AuTo Stealer can use HTTP to communicate with its C2 servers.[1] |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder | AuTo Stealer can place malicious executables in a victim's AutoRun registry key or StartUp directory, depending on the AV product installed, to maintain persistence.[1] |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter:Windows Command Shell | AuTo Stealer can use |
| Enterprise | T1005 | Data from Local System | AuTo Stealer can collect data such as PowerPoint files, Word documents, Excel files, PDF files, text files, database files, and image files from an infected machine.[1] | |
| Enterprise | T1074 | .001 | Data Staged:Local Data Staging | AuTo Stealer can store collected data from an infected host to a file named |
| Enterprise | T1041 | Exfiltration Over C2 Channel | AuTo Stealer can exfiltrate data over actor-controlled C2 servers via HTTP or TCP.[1] | |
| Enterprise | T1095 | Non-Application Layer Protocol | AuTo Stealer can use TCP to communicate with command and control servers.[1] | |
| Enterprise | T1518 | .001 | Software Discovery:Security Software Discovery | AuTo Stealer has the ability to collect information about installed AV products from an infected host.[1] |
| Enterprise | T1082 | System Information Discovery | AuTo Stealer has the ability to collect the hostname and OS information from an infected host.[1] | |
| Enterprise | T1033 | System Owner/User Discovery | AuTo Stealer has the ability to collect the username from an infected host.[1] | |