CavalierGPT: The First Comprehensive Infostealers AI Bot - Read More →

Created by: alon

Date created: 2022-12-16

Last edited: 2023-01-24

Description: Heatmap of instances of ATT&CK techniques for DuckTail Stealer based on recent public CTI reporting (sources in notes for each technique).

Techniques (21)

  • Bidirectional Communication

    ID: T1102.002

    Tactics: Command and Control

    Description: https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf

  • Code Signing Certificates

    ID: T1588.003

    Tactics: Resource Development

    Description: https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf

  • Command and Scripting Interpreter

    ID: T1059

    Tactics: Execution

    Description: https://www.zscaler.com/blogs/security-research/new-php-variant-ducktail-infostealer-targeting-facebook-business-accounts

  • Credentials from Web Browsers

    ID: T1555.003

    Tactics: Credential Access

    Description: https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf

  • Data from Local System

    ID: T1005

    Tactics: Collection

    Description: https://www.zscaler.com/blogs/security-research/new-php-variant-ducktail-infostealer-targeting-facebook-business-accounts

  • Deobfuscate/Decode Files or Information

    ID: T1140

    Tactics: Defense Evasion

    Description: https://www.zscaler.com/blogs/security-research/new-php-variant-ducktail-infostealer-targeting-facebook-business-accounts

  • Exfiltration Over Web Service

    ID: T1567

    Tactics: Exfiltration

    Description: https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf

  • File and Directory Discovery

    ID: T1083

    Tactics: Discovery

    Description: https://www.zscaler.com/blogs/security-research/new-php-variant-ducktail-infostealer-targeting-facebook-business-accounts

  • Gather Victim Identity Information

    ID: T1589

    Tactics: Reconnaissance

    Description: https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf

  • Gather Victim Org Information

    ID: T1591

    Tactics: Reconnaissance

    Description: https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf

  • Malicious File

    ID: T1204.002

    Tactics: Execution

    Description: https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf

  • Malware

    ID: T1587.001

    Tactics: Resource Development

    Description: https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf

  • OS Credential Dumping

    ID: T1003

    Tactics: Credential Access

    Description: https://www.zscaler.com/blogs/security-research/new-php-variant-ducktail-infostealer-targeting-facebook-business-accounts

  • Phishing

    ID: T1566

    Tactics: Initial Access

    Description: https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf

  • Remote System Discovery

    ID: T1018

    Tactics: Discovery

    Description: https://www.zscaler.com/blogs/security-research/new-php-variant-ducktail-infostealer-targeting-facebook-business-accounts

  • Security Software Discovery

    ID: T1518.001

    Tactics: Discovery

    Description: https://www.zscaler.com/blogs/security-research/new-php-variant-ducktail-infostealer-targeting-facebook-business-accounts

  • Social Media

    ID: T1593.001

    Tactics: Reconnaissance

    Description: https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf

  • Steal Application Access Token

    ID: T1528

    Tactics: Credential Access

    Description: https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf

  • Steal Web Session Cookie

    ID: T1539

    Tactics: Credential Access

    Description: https://labs.withsecure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf

  • System Information Discovery

    ID: T1082

    Tactics: Discovery

    Description: https://www.zscaler.com/blogs/security-research/new-php-variant-ducktail-infostealer-targeting-facebook-business-accounts

  • Windows Management Instrumentation

    ID: T1047

    Tactics: Execution

    Description: https://www.zscaler.com/blogs/security-research/new-php-variant-ducktail-infostealer-targeting-facebook-business-accounts

infostealers-logo

BE THE FIRST TO KNOW

Get FREE access to Cavalier GPT

Stay informed with the latest insights in our Infostealers weekly report.

Receive a notification if your email is involved in an Infostealer infection.

No Spam, We Promise

BE THE FIRST TO KNOW

Get FREE access to Cavalier GPT

Stay informed with the latest insights in our Infostealers weekly report.

Receive a notification if your email is involved in an Infostealer infection.

No Spam, We Promise