STOCKSTAY Another Day: The Latest Addition to Turla’s Intelligence Gathering Apparatus

MITRE Techniques

• [T1059.001 ] PowerShell – Used to stage or run additional malware and scripts during intrusions (‘staging output from an otherwise unknown Powershell backdoor’).
• [T1053.005 ] Scheduled Task/Job: Scheduled Task – Persistence was established through autorun-style execution and registry run keys, and the report notes multiple autorun entries used by MARKETMAKER (‘establishes persistence through Windows registry modifications’ / ‘multiple autorun entries’).
• [T1112 ] Modify Registry – STOCKTRADER supports registry read/write/delete operations, and MARKETMAKER uses registry run keys for persistence (‘Registry Write’, ‘Registry Write to Run Registry Key’).
• [T1027 ] Obfuscated Files or Information – STOCKSTAY and related components used junk code, string obfuscation, encrypted config files, and hidden modules to resist analysis (‘heavy obfuscation’, ‘encrypted configuration files’).
• [T1105 ] Ingress Tool Transfer – STOCKSTAY.MARKETMAKER downloaded and extracted ZIP payloads from remote servers and compromised sites (‘downloads and extracts additional payloads from a remote server’).
• [T1071.001 ] Web Protocols – STOCKSTAY communicated with C2 over secure WebSocket connections (‘communicates with its command and control (C2) via a secure WebSocket connection’).
• [T1133 ] External Remote Services – Victims were first connected through malicious RDP files to actor-controlled infrastructure (‘malicious Remote Desktop Protocol (RDP) file’).
• [T1204.002 ] User Execution: Malicious File – Phishing lures relied on users opening RDP, HTA, MSI, LNK, or archive files to trigger execution (‘upon opening resulted in a connection’, ‘malicious HTA file’).
• [T1566.001 ] Phishing: Spearphishing Attachment – Emails delivered malicious RDP and other attachments to targets (‘phishing email containing … a malicious RDP file attachment’).
• [T1566.002 ] Phishing: Spearphishing Link – Phishing emails used unique file-sharing links to deliver malicious archives (‘each containing a unique ukr.net file sharing link’).
• [T1106 ] Native API – The malware uses Windows Forms, WM_COPYDATA, WMI, and .NET framework functionality to execute internal operations (‘WMI is queried’, ‘exchange of WM_COPYDATA messages’).
• [T1083 ] File and Directory Discovery – STOCKTRADER can enumerate directories and collect file listings (‘Generate a listing of the specified directories’).
• [T1005 ] Data from Local System – STOCKTRADER can retrieve files and archive them for exfiltration (‘All files matching … will be added to an in-memory ZIP archive’).
• [T1119 ] Automated Collection – The malware can gather system details, files, screenshots, and process lists automatically (‘Conduct a system survey’, ‘Perform a screen-capture’).
• [T1057 ] Process Discovery – The Sysinfo command collects running process names (‘captures a list of the names of running processes’).
• [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – MARKETMAKER and LNK payloads were used to execute malware at startup (‘enabled persistent execution via registry run keys’, ‘startup programs directory’).
• [T1102 ] Web Service – STOCKSTAY used Render and GitHub-hosted WebSocket infrastructure and compromised web services for hosting (‘hosting web services, including WebSockets’).
• [T1553.002 ] Code Signing or Trusted Developer Utilities Proxy Execution – The attack leveraged legitimate-looking application names and benign wrappers such as MSI, RDP, and HTA execution paths to conceal malware (‘masquerading as “MicrosoftUpdateOneDrive”‘, ‘masqueraded as the ILSpy application’).