Micropsia

Micropsia is a remote access tool written in Delphi.[1][2]

ID: S0339
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1123 Audio Capture

Micropsia can perform microphone recording.[2]

Enterprise T1119 Automated Collection

Micropsia executes an RAR tool to recursively archive files based on a predefined list of file extensions (.xls, .xlsx, .csv, .odt, .doc, .docx, .ppt, .pptx, .pdf, .mdb, .accdb, .accde, *.txt).[2]

Enterprise T1059 Command-Line Interface

Micropsia creates a command-line shell using cmd.exe.[2]

Enterprise T1002 Data Compressed

Micropsia creates a RAR archive based on collected files on the victim's machine.[2]

Enterprise T1083 File and Directory Discovery

Micropsia can perform a recursive directory listing for all volume drives available on the victim's machine and can also fetch specific files by their paths.[2]

Enterprise T1158 Hidden Files and Directories

Micropsia creates a new hidden directory to store all components' outputs in a dedicated sub-folder for each.[2]

Enterprise T1056 Input Capture

Micropsia has keylogging capabilities.[2]

Enterprise T1027 Obfuscated Files or Information

Micropsia obfuscates the configuration with a custom Base64 and XOR.[1][2]

Enterprise T1105 Remote File Copy

Micropsia can download and execute an executable from the C2 server.[1][2]

Enterprise T1113 Screen Capture

Micropsia takes screenshots every 90 seconds by calling the Gdi32.BitBlt API.[2]

Enterprise T1063 Security Software Discovery

Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI.[1][2]

Enterprise T1023 Shortcut Modification

Micropsia creates a shortcut to maintain persistence.[1]

Enterprise T1071 Standard Application Layer Protocol

Micropsia uses HTTP and HTTPS for C2 network communications.[1][2]

Enterprise T1082 System Information Discovery

Micropsia gathers the hostname and OS version from the victim’s machine.[1][2]

Enterprise T1033 System Owner/User Discovery

Micropsia collects the username from the victim’s machine.[1]

Enterprise T1047 Windows Management Instrumentation

Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI.[1][2]

References