Pteranodon is a custom backdoor used by Gamaredon Group. [1]

ID: S0147
Associated Software: Pterodo
Platforms: Windows
Version: 2.1
Created: 31 May 2017
Last Modified: 23 August 2022

Associated Software Descriptions

Name Description


Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Pteranodon can use HTTP for C2.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Pteranodon copies itself to the Startup folder to establish persistence.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Pteranodon can use cmd.exe for execution on victim systems.[1][2]

.005 Command and Scripting Interpreter: Visual Basic

Pteranodon can use a malicious VBS file for execution.[2]

Enterprise T1074 .001 Data Staged: Local Data Staging

Pteranodon creates various subdirectories under %Temp%\reports\% and copies files to those subdirectories. It also creates a folder at C:\Users\\AppData\Roaming\Microsoft\store to store screenshot JPEG files.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Pteranodon can decrypt encrypted data strings prior to using them.[4]

Enterprise T1041 Exfiltration Over C2 Channel

Pteranodon exfiltrates screenshot files to its C2 server.[1]

Enterprise T1083 File and Directory Discovery

Pteranodon identifies files matching certain file extension and copies them to subdirectories it created.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

Pteranodon can delete files that may interfere with it executing. It also can delete temporary files and itself after the initial script executes.[1]

Enterprise T1105 Ingress Tool Transfer

Pteranodon can download and execute additional files.[1][2][5]

Enterprise T1106 Native API

Pteranodon has used various API calls.[4]

Enterprise T1027 .007 Obfuscated Files or Information: Dynamic API Resolution

Pteranodon can use a dynamic Windows hashing algorithm to map API components.[4]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Pteranodon schedules tasks to invoke its components in order to establish persistence.[1][2]

Enterprise T1113 Screen Capture

Pteranodon can capture screenshots at a configurable interval.[1][5]

Enterprise T1218 .005 System Binary Proxy Execution: Mshta

Pteranodon can use mshta.exe to execute an HTA file hosted on a remote server.[2]

.011 System Binary Proxy Execution: Rundll32

Pteranodon executes functions using rundll32.exe.[1]

Enterprise T1497 Virtualization/Sandbox Evasion

Pteranodon has the ability to use anti-detection functions to identify sandbox environments.[5]

Groups That Use This Software

ID Name References
G0047 Gamaredon Group