build_downer

build_downer is a downloader that has been used by BRONZE BUTLER since at least 2019.[1]

ID: S0471
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 10 June 2020
Last Modified: 24 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

build_downer has the ability to add itself to the Registry Run key for persistence.[1]

Enterprise T1105 Ingress Tool Transfer

build_downer has the ability to download files from C2 to the infected host.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

build_downer has added itself to the Registry Run key as "NVIDIA" to appear legitimate.[1]

Enterprise T1106 Native API

build_downer has the ability to use the WinExec API to execute malware on a compromised host.[1]

Enterprise T1027 .003 Obfuscated Files or Information: Steganography

build_downer can extract malware from a downloaded JPEG.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

build_downer has the ability to detect if the infected host is running an anti-virus process.[1]

Enterprise T1082 System Information Discovery

build_downer has the ability to send system volume information to C2.[1]

Enterprise T1124 System Time Discovery

build_downer has the ability to determine the local time to ensure malware installation only happens during the hours that the infected system is active.[1]

Groups That Use This Software

ID Name References
G0060 BRONZE BUTLER

[1]

References