Disco
Disco is a custom implant that has been used by MoustachedBouncer since at least 2020 including in campaigns using targeted malicious content injection for initial access and command and control.[1]
ID: S1088
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.0
Created: 25 September 2023
Last Modified: 04 October 2023
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .002 | Application Layer Protocol: File Transfer Protocols | |
| Enterprise | T1659 | Content Injection |
Disco has achieved initial access and execution through content injection into DNS, HTTP, and SMB replies to targeted hosts that redirect them to download malicious files.[1] |
|
| Enterprise | T1105 | Ingress Tool Transfer | ||
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Disco can create a scheduled task to run every minute for persistence.[1] |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Disco has been executed through inducing user interaction with malicious .zip and .msi files.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1019 | MoustachedBouncer |