EvilGrab

EvilGrab is a malware family with common reconnaissance capabilities. It has been deployed by menuPass via malicious Microsoft Office documents as part of spearphishing campaigns. [1]

ID: S0152
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 14 December 2017
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1123 Audio Capture

EvilGrab has the capability to capture audio from a victim machine.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

EvilGrab adds a Registry Run key for ctfmon.exe to establish persistence.[1]

Enterprise T1056 .001 Input Capture: Keylogging

EvilGrab has the capability to capture keystrokes.[1]

Enterprise T1113 Screen Capture

EvilGrab has the capability to capture screenshots.[1]

Enterprise T1125 Video Capture

EvilGrab has the capability to capture video from a victim machine.[1]

Groups That Use This Software

ID Name References
G0045 menuPass

[1]

References