SadFuture: Mapping XDSpy latest evolution

MITRE Techniques

• [T1204] User Execution – The infection chain begins with the user opening malicious ZIP archives and LNK files that trigger payload execution. (‘user unzipping the archive and opening the embedded LNK file’)
• [T1547] Boot or Logon Autostart Execution – ETDownloader establishes persistence by creating a startup batch file in the user’s Start Menu Startup folder. (‘creates persistence by writing a startapp.bat Batch file… containing Start “” “%AppData%2A5S2FQJSU9BYEZYZO107H.exe” /startup’)
• [T1041] Exfiltration Over C2 Channel – Collected data and files are encrypted and exfiltrated to the C2 server using HTTPS POST multipart forms. (‘Files are being exfiltrated as multipart forms via HTTP POST requests…’)
• [T1059] Command and Scripting Interpreter – The LNK triggers execution of a Windows shell command and dynamically compiled JavaScript .NET code to unpack and run the payload. (‘compiles the… JavaScript .NET code snippet and runs… to extract and execute payload’)
• [T1036] Masquerading – The use of legitimate Microsoft signed executables (DeviceMetadataWizard.exe) to sideload malicious DLLs to evade detection. (‘stage 1 DLL sideloaded by legitimate signed Microsoft executable DeviceMetadataWizard.exe’)
• [T1083] File and Directory Discovery – XDigo implants scan user directories and other volumes for files with specific extensions. (‘scanning the current user’s home directory for files with one of 13 hardcoded extensions’)
• [T1064] Scripting – ETDownloader uses dynamically compiled .NET scripts for unpacking and execution of next stages. (‘compiles… using legitimate system compiler jsc.exe… runs the previously created unzip.exe’)