Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control | |
Enterprise | T1059 | .007 | Command and Scripting Interpreter: JavaScript |
Evilnum has used malicious JavaScript files on the victim's machine.[1] |
Enterprise | T1555 | Credentials from Password Stores | ||
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
Evilnum has used the malware variant, TerraTV, to load a malicious DLL placed in the TeamViewer directory, instead of the original Windows DLL located in a system folder.[1] |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion | |
Enterprise | T1105 | Ingress Tool Transfer |
Evilnum can deploy additional components or tools as needed.[1] |
|
Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
Evilnum has sent spearphishing emails containing a link to a zip file hosted on Google Drive.[1] |
Enterprise | T1219 | Remote Access Software |
EVILNUM has used the malware variant, TerraTV, to run a legitimate TeamViewer application to connect to compromrised machines.[1] |
|
Enterprise | T1539 | Steal Web Session Cookie |
Evilnum can steal cookies and session information from browsers.[1] |
|
Enterprise | T1204 | .001 | User Execution: Malicious Link |
Evilnum has sent spearphishing emails designed to trick the recipient into opening malicious shortcut links which downloads a .LNK file.[1] |
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Evilnum has used a component called TerraLoader to check certain hardware and file information to detect sandboxed environments. [1] |