Pteranodon is a custom backdoor used by Gamaredon Group. [1]

ID: S0147
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 22 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Pteranodon can use HTTP for C2.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Pteranodon copies itself to the Startup folder to establish persistence.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Pteranodon can execute commands on the victim.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

Pteranodon creates various subdirectories under %Temp%\reports\% and copies files to those subdirectories. It also creates a folder at C:\Users\\AppData\Roaming\Microsoft\store to store screenshot JPEG files.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Pteranodon exfiltrates screenshot files to its C2 server.[1]

Enterprise T1083 File and Directory Discovery

Pteranodon identifies files matching certain file extension and copies them to subdirectories it created.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Pteranodon can delete files that may interfere with it executing. It also can delete temporary files and itself after the initial script executes.[1]

Enterprise T1105 Ingress Tool Transfer

Pteranodon can download and execute additional files.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Pteranodon schedules tasks to invoke its components in order to establish persistence.[1]

Enterprise T1113 Screen Capture

Pteranodon can capture screenshots at a configurable interval.[1]

Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

Pteranodon executes functions using rundll32.exe.[1]

Groups That Use This Software

ID Name References
G0047 Gamaredon Group