ATT&CK v15.1 has been released! Check out the blog post or release notes for more information.

LoFiSe

LoFiSe has been used by ToddyCat since at least 2023 to identify and collect files of interest on targeted systems.^[1]

ID: S1101

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 19 January 2024

Last Modified: 19 January 2024

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1560		Archive Collected Data	LoFiSe can collect files into password-protected ZIP-archives for exfiltration.^[1]
Enterprise	T1119		Automated Collection	LoFiSe can collect all the files from the working directory every three hours and place them into a password-protected archive for further exfiltration.^[1]
Enterprise	T1005		Data from Local System	LoFiSe can collect files of interest from targeted systems.^[1]
Enterprise	T1074	.001	Data Staged: Local Data Staging	LoFiSe can save files to be evaluated for further exfiltration in the `C:\Programdata\Microsoft\` and `C:\windows\temp\` folders. ^[1]
Enterprise	T1083		File and Directory Discovery	LoFiSe can monitor the file system to identify files less than 6.4 MB in size with file extensions including .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .rtf, .tif, .odt, .ods, .odp, .eml, and .msg.^[1]
Enterprise	T1574	.002	Hijack Execution Flow: DLL Side-Loading	LoFiSe has been executed as a file named DsNcDiag.dll through side-loading.^[1]

Groups That Use This Software

ID	Name	References
G1022	ToddyCat	^[1]

References

Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.