Psylo

Psylo is a shellcode-based Trojan that has been used by Scarlet Mimic. It has similar characteristics as FakeM. [1]

ID: S0078
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Psylo uses HTTPS for C2.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Psylo exfiltrates data to its C2 server over the same protocol as C2 communications.[1]

Enterprise T1083 File and Directory Discovery

Psylo has commands to enumerate all storage devices and to find all files that start with a particular string.[1]

Enterprise T1070 .006 Indicator Removal on Host: Timestomp

Psylo has a command to conduct timestomping by setting a specified file’s timestamps to match those of a system file in the System32 directory.[1]

Enterprise T1105 Ingress Tool Transfer

Psylo has a command to download a file to the system from its C2 server.[1]

Groups That Use This Software

ID Name References
G0029 Scarlet Mimic

[1]

References