1. Home
  2. Software
  3. Pteranodon

Pteranodon

Pteranodon is a custom backdoor used by Gamaredon Group. [1]

ID: S0147
Associated Software: Pterodo
Type: MALWARE
Platforms: Windows
Version: 2.1
Created: 31 May 2017
Last Modified: 23 August 2022
Version Permalink

Associated Software Descriptions

Name Description
Pterodo

[2][3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Pteranodon can use HTTP for C2.[1]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Pteranodon copies itself to the Startup folder to establish persistence.[1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Pteranodon can use cmd.exe for execution on victim systems.[1][2]
.005 Command and Scripting Interpreter: Visual Basic

Pteranodon can use a malicious VBS file for execution.[2]
Enterprise T1074 .001 Data Staged: Local Data Staging

Pteranodon creates various subdirectories under %Temp%\reports\% and copies files to those subdirectories. It also creates a folder at C:\Users\\AppData\Roaming\Microsoft\store to store screenshot JPEG files.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

Pteranodon can decrypt encrypted data strings prior to using them.[4]
Enterprise T1041 Exfiltration Over C2 Channel

Pteranodon exfiltrates screenshot files to its C2 server.[1]
Enterprise T1083 File and Directory Discovery

Pteranodon identifies files matching certain file extension and copies them to subdirectories it created.[1]
Enterprise T1070 .004 Indicator Removal: File Deletion

Pteranodon can delete files that may interfere with it executing. It also can delete temporary files and itself after the initial script executes.[1]
Enterprise T1105 Ingress Tool Transfer

Pteranodon can download and execute additional files.[1][2][5]
Enterprise T1106 Native API

Pteranodon has used various API calls.[4]
Enterprise T1027 .007 Obfuscated Files or Information: Dynamic API Resolution

Pteranodon can use a dynamic Windows hashing algorithm to map API components.[4]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Pteranodon schedules tasks to invoke its components in order to establish persistence.[1][2]
Enterprise T1113 Screen Capture

Pteranodon can capture screenshots at a configurable interval.[1][5]
Enterprise T1218 .005 System Binary Proxy Execution: Mshta

Pteranodon can use mshta.exe to execute an HTA file hosted on a remote server.[2]
.011 System Binary Proxy Execution: Rundll32

Pteranodon executes functions using rundll32.exe.[1]
Enterprise T1497 Virtualization/Sandbox Evasion

Pteranodon has the ability to use anti-detection functions to identify sandbox environments.[5]

Groups That Use This Software

ID Name References
G0047 Gamaredon Group

[1][2][4][5][3]

References

  1. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  2. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
  3. Secureworks CTU. (n.d.). IRON TILDEN. Retrieved February 24, 2022.
  1. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  2. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.