FLAME THIEF – CYFIRMA

MITRE Techniques

• [T1059] Command and Scripting Interpreter – ‘The stealer uses a Command and Scripting Interpreter technique to take control of line arguments from the attacker to execute commands, scripts, or binaries.’ ‘Multiple and lengthy command lines that are uncommon, encrypted or packed have been observed.’
• [T1547] Boot or Logon AutoStart Execution – ‘Adversaries achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.’; ‘Here the stealer drops PE files into the startup folder, creates a Start Menu entry under (Start MenuProgramsStartup), and stores files in the Windows Start Menu directory to ensure persistence on the system.’
• [T1574.001] DLL Side-Loading – ‘Adversaries execute their own malicious payloads by side-loading DLLs.’; ‘The Stealer tries to load multiple missing DLLs.’
• [T1055] Process Injection – ‘Process Injection: Creates multiple processes in suspended mode (likely to inject code) by executing commands that obtain information about running processes on local systems and current user details, disabling certain browser features related to rendering processes, and suggesting retrieval while utilizing a prefetch hint to optimize application launch.’
• [T1497] Virtualization/Sandbox Evasion – ‘The stealer uses System Checks Technique where it uses specific strings or patterns that evade sandbox analysis [VirtualBox/Xen virtual machine] and checks for a time delay via GetTickCount.’; ‘To evade detection and delay in analysis, the stealer uses evasive loops to hinder dynamic analysis that obscures malicious behavior.’
• [T1027] Obfuscated Files or Information – ‘The stealer uses NSIS (Nullsoft Scriptable Install System) installer to Obfuscate Files / Information and the developer(s) has used XOR (exclusive OR) to encode data and manipulate the hash data, using CRC32 (Cyclic Redundancy Check) to evade detection.’; ‘The stealer uses code obfuscation techniques (call, push, ret) to obscure functionality and make analysis more difficult.’
• [T1057] Process Discovery – ‘Detects the Windows Explorer process, queries a list of all running processes, and uses tasklist.exe for detailed information.’
• [T1016] Remote System Discovery – ‘Uses the file access function to open the host’s file located at C:WindowsSystem32driversetchosts. Once the file is opened, the malware reads the contents to gather information about hostname-to-IP address mappings.’
• [T1083] File and Directory Discovery – ‘Harvests browser data to exploit the credentials and stores this under a temporary folder which the stealer creates at the initial stage.’; ‘Reads the C:Usersdesktop.ini file to access folder customization settings which gives insights into user behavior or system configurations.’
• [T1082] System Information Discovery – ‘Gathers information of queries from keyboard layouts, retrieves volume information (name, serial number, etc.), assesses free hard drive space, queries the cryptographic machine GUID, and reads software policies and Internet Explorer settings.’
• [T1063] Security Software Discovery – ‘It tries to detect the virtual machine to hinder analysis as a VM artifact strings found in the memory.’
• [T1114] Email Collection – ‘Searches for the Microsoft Outlook file path to query the registry.’
• [T1115] Clipboard Data and Video Capture – ‘Captures clipboard data and has the ability to capture webcam data.’
• [T1041] Exfiltration Over Web Service – ‘Exfiltration Over Webhook’ – ‘The Stealer uses a Discord webhook endpoint to exfiltrate the data.’
• [T1529] System Shutdown/Reboot – ‘Has the capability to Shutdown/Reboot the target machine as part of its persistence mechanism.’