Pteranodon is a custom backdoor used by Gamaredon Group. [1]

ID: S0147
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1059Command-Line InterfacePteranodon can execute commands on the victim.[1]
EnterpriseT1074Data StagedPteranodon creates various subdirectories under %Temp%\reports\% and copies files to those subdirectories. It also creates a folder at C:\Users\\AppData\Roaming\Microsoft\store to store screenshot JPEG files.[1]
EnterpriseT1041Exfiltration Over Command and Control ChannelPteranodon exfiltrates screenshot files to its C2 server.[1]
EnterpriseT1083File and Directory DiscoveryPteranodon identifies files matching certain file extension and copies them to subdirectories it created.[1]
EnterpriseT1107File DeletionPteranodon can delete files that may interfere with it executing. It also can delete temporary files and itself after the initial script executes.[1]
EnterpriseT1060Registry Run Keys / Startup FolderPteranodon copies itself to the Startup folder to establish persistence.[1]
EnterpriseT1105Remote File CopyPteranodon can download and execute additional files.[1]
EnterpriseT1085Rundll32Pteranodon executes functions using rundll32.exe.[1]
EnterpriseT1053Scheduled TaskPteranodon schedules tasks to invoke its components in order to establish persistence.[1]
EnterpriseT1113Screen CapturePteranodon can capture screenshots at a configurable interval.[1]
EnterpriseT1071Standard Application Layer ProtocolPteranodon can use HTTP for C2.[1]


Groups that use this software:

Gamaredon Group