Register to stream ATT&CKcon 2.0 October 29-30

Micropsia

Micropsia is a remote access tool written in Delphi.[1][2]

ID: S0339
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1123 Audio Capture Micropsia can perform microphone recording. [2]
Enterprise T1119 Automated Collection Micropsia executes an RAR tool to recursively archive files based on a predefined list of file extensions (.xls, .xlsx, .csv, .odt, .doc, .docx, .ppt, .pptx, .pdf, .mdb, .accdb, .accde, *.txt). [2]
Enterprise T1059 Command-Line Interface Micropsia creates a command-line shell using cmd.exe. [2]
Enterprise T1002 Data Compressed Micropsia creates a RAR archive based on collected files on the victim's machine. [2]
Enterprise T1083 File and Directory Discovery Micropsia can perform a recursive directory listing for all volume drives available on the victim's machine and can also fetch specific files by their paths. [2]
Enterprise T1158 Hidden Files and Directories Micropsia creates a new hidden directory to store all components' outputs in a dedicated sub-folder for each. [2]
Enterprise T1056 Input Capture Micropsia has keylogging capabilities. [2]
Enterprise T1027 Obfuscated Files or Information Micropsia obfuscates the configuration with a custom Base64 and XOR. [1] [2]
Enterprise T1105 Remote File Copy Micropsia can download and execute an executable from the C2 server. [1] [2]
Enterprise T1113 Screen Capture Micropsia takes screenshots every 90 seconds by calling the Gdi32.BitBlt API. [2]
Enterprise T1063 Security Software Discovery Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI. [1] [2]
Enterprise T1023 Shortcut Modification Micropsia creates a shortcut to maintain persistence. [1]
Enterprise T1071 Standard Application Layer Protocol Micropsia uses HTTP and HTTPS for C2 network communications. [1] [2]
Enterprise T1082 System Information Discovery Micropsia gathers the hostname and OS version from the victim’s machine. [1] [2]
Enterprise T1033 System Owner/User Discovery Micropsia collects the username from the victim’s machine. [1]
Enterprise T1047 Windows Management Instrumentation Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI. [1] [2]

References