Emerging Threat: Understanding The PySilon Discord RAT’s Versatile Features – Cyble

MITRE Techniques

• [T1566] Phishing – This malware could reach users via phishing sites. ‘This malware could reach users via phishing sites.’
• [T1204] User Execution – The user needs to manually execute the malicious file downloaded from the phishing site. ‘The user needs to manually execute the malicious file downloaded from the phishing site.’
• [T1059] Command and Scripting Interpreter – cmd.exe are used to collect system information. ‘cmd.exe are used to collect system information.’
• [T1059.001] PowerShell – PowerShell command are used to add an exclusion path for Windows Defender. ‘PowerShell command are used to add an exclusion path for Windows Defender.’
• [T1047] Windows Management Instrumentation – WMIC command used to get system information. ‘WMIC command used to get system information.’
• [T1547.001] Registry Run Keys / Startup Folder – Malware adding run entry for persistence. ‘Malware adding run entry for persistence.’
• [T1497] Virtualization/Sandbox Evasion – Performing Anti-VM/Anti-Debug technique for evasion. ‘Performing Anti-VM/Anti-Debug technique for evasion.’
• [T1562.001] Disable or Modify Tools – The malware scans for VM and Debugger-related processes and terminates them. ‘The malware scans for VM and Debugger-related processes and terminates them.’
• [T1003] OS Credential Dumping – Malware attempts to dump credentials to obtain account login and credential. ‘Malware attempts to dump credentials to obtain account login and credential.’
• [T1056.001] Input Capture – The malware possesses the capability to engage in keylogging activities. ‘The malware possesses the capability to engage in keylogging activities.’
• [T1057] Process Discovery – The malware look out a specific processes to terminate. ‘The malware look out a specific processes to terminate.’
• [T1012] Query Registry – The malware is examining the registry to extract system details. ‘The malware is examining the registry to extract system details.’
• [T1082] System Information Discovery – The malware gathers system information through PowerShell, Command Prompt (cmd), and WMIC. ‘The malware gathers system information through PowerShell, Command Prompt (cmd), and WMIC.’
• [T1518.001] Security Software Discovery – The malware is searching for processes associated with virtual machines and debuggers to forcibly terminate. ‘The malware is searching for processes associated with virtual machines and debuggers to forcibly terminate.’
• [T1005] Data from Local System – The malware collects sensitive data from victim’s system. ‘The malware collects sensitive data from victim’s system.’
• [T1071] Application Layer Protocol – TCP is used by the malware to interact with the C&C server. ‘TCP is used by the malware to interact with the C&C server.’
• [T1105] Ingress Tool Transfer – The malware has ability to download files from C&C. ‘The malware has ability to download files from C&C’