EXECUTIVE SUMMARY
The malware's execution splits into two parts, one focused on reconnaissance and the other on communicating with a remote command-and-control server.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The malware's execution splits into two parts, one focused on reconnaissance and the other on communicating with a remote command-and-control server.[emaillocker id="1283"]
This structure allows the attackers to quietly gather system information while maintaining a stealthy connection back to their infrastructure.
The malware has been designed to evade detection, with zero detections on VirusTotal and successful bypassing of major endpoint detection and response tools. Persistence is another key aspect of the malware, with the ability to restart automatically even if the registry entry is removed.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
|---|---|---|---|
| Initial Access | T1078.004 | Valid Accounts | Cloud Accounts |
| Initial Access | T1566.003 | Phishing | Spearphishing via Service |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1059.006 | Command and Scripting Interpreter | Python |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Defense Evasion | T1027 | Obfuscated Files or Information | – |
| Defense Evasion | T1036 | Masquerading | – |
| Discovery | T1082 | System Information Discovery | – |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Command and Control | T1105 | Ingress Tool Transfer | – |
REFERENCES:
The reports contain further technical details:
[/emaillocker]Hackers Hijack Microsoft Teams Accounts to Deliver ModeloRAT