Malware Starloader
Starloader is a loader component that has been observed loading Felismus and associated tools.
Platforms : Windows
Version : 1.1
Created : 16 January 2018
Last Modified : 18 March 2020
Version : 1.1
Created : 16 January 2018
Last Modified : 18 March 2020
List of techniques used :
| id | description |
|---|---|
| T1036.005 | Masquerading: Match Legitimate Name or Location Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous. Adversaries may also use the same icon of the file they are trying to mimic. |
| T1140 | Deobfuscate/Decode Files or Information Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system. One such example is the use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file. Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. Sometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. |
List of groups using the malware :
| id | description |
|---|---|
| G0054 | Sowbug Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. |
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.