Wingbird
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .008 | Boot or Logon Autostart Execution: LSASS Driver |
Wingbird drops a malicious file (sspisrv.dll) alongside a copy of lsass.exe, which is used to register a service that loads sspisrv.dll as a driver. The payload of the malicious driver (located in its entry-point function) is executed when loaded by lsass.exe before the spoofed service becomes unstable and crashes.[1][3] |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Wingbird uses services.exe to register a new autostart service named "Audit Service" using a copy of the local lsass.exe file.[1][3] |
| Enterprise | T1068 | Exploitation for Privilege Escalation |
Wingbird exploits CVE-2016-4117 to allow an executable to gain escalated privileges.[1] |
|
| Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
Wingbird side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service.[1][3] |
| Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
Wingbird deletes its payload along with the payload's parent process after it finishes copying files.[1] |
| Enterprise | T1055 | Process Injection |
Wingbird performs multiple process injections to hijack system processes and execute malicious code.[1] |
|
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Wingbird checks for the presence of Bitdefender security software.[1] |
| Enterprise | T1082 | System Information Discovery |
Wingbird checks the victim OS version after executing to determine where to drop files based on whether the victim is 32-bit or 64-bit.[1] |
|
| Enterprise | T1569 | .002 | System Services: Service Execution |
Wingbird uses services.exe to register a new autostart service named "Audit Service" using a copy of the local lsass.exe file.[1][3] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0055 | NEODYMIUM |