MechaFlounder is a python-based remote access tool (RAT) that has been used by APT39. The payload uses a combination of actor developed code and code snippets freely available online in development communities.[1]

ID: S0459
Platforms: Windows
Version: 1.0
Created: 27 May 2020
Last Modified: 28 May 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

MechaFlounder has the ability to use HTTP in communication with C2.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

MechaFlounder has the ability to run commands on a compromised host.[1]

.006 Command and Scripting Interpreter: Python

MechaFlounder uses a python-based payload.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

MechaFlounder has the ability to use base16 encoded strings in C2.[1]

Enterprise T1041 Exfiltration Over C2 Channel

MechaFlounder has the ability to send the compromised user's account name and hostname within a URL to C2.[1]

Enterprise T1105 Ingress Tool Transfer

MechaFlounder has the ability to upload and download files to and from a compromised host.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

MechaFlounder has been downloaded as a file named lsass.exe, which matches the legitimate Windows file.[1]

Enterprise T1033 System Owner/User Discovery

MechaFlounder has the ability to identify the username and hostname on a compromised host.[1]

Groups That Use This Software

ID Name References
G0087 APT39