Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

PUNCHBUGGY

PUNCHBUGGY is a dynamic-link library (DLL) downloader utilized by FIN8. [1] [2]

ID: S0196
Aliases: PUNCHBUGGY
Type: MALWARE
Platforms: Windows

Version: 1.0

Alias Descriptions

NameDescription
PUNCHBUGGY[1] [2]

Techniques Used

DomainIDNameUse
EnterpriseT1182AppCert DLLsPUNCHBUGGY can establish using a AppCertDLLs Registry key.[2]
EnterpriseT1129Execution through Module LoadPUNCHBUGGY can load a DLL using the LoadLibrary API.[2]
EnterpriseT1107File DeletionPUNCHBUGGY can delete files written to disk.[2]
EnterpriseT1036MasqueradingPUNCHBUGGY mimics filenames from %SYSTEM%\System32 to hide DLLs in %WINDIR% and/or %TEMP%.[2]
EnterpriseT1060Registry Run Keys / Startup FolderPUNCHBUGGY can establish using a Registry run key.[2]
EnterpriseT1105Remote File CopyPUNCHBUGGY can download additional files and payloads to compromised hosts.[2]
EnterpriseT1085Rundll32PUNCHBUGGY can load a DLL using Rundll32.[2]
EnterpriseT1071Standard Application Layer ProtocolPUNCHBUGGY enables remote interaction and can obtain additional code over HTTPS GET and POST requests.[1][2]

Groups

Groups that use this software:

FIN8

References