Ferocious is a first stage implant composed of VBS and PowerShell scripts that has been used by WIRTE since at least 2021.[1]

ID: S0679
Platforms: Windows
Version: 1.0
Created: 01 February 2022
Last Modified: 01 February 2022

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Ferocious can use PowerShell scripts for execution.[1]

.005 Command and Scripting Interpreter: Visual Basic

Ferocious has the ability to use Visual Basic scripts for execution.[1]

Enterprise T1546 .015 Event Triggered Execution: Component Object Model Hijacking

Ferocious can use COM hijacking to establish persistence.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

Ferocious can delete files from a compromised host.[1]

Enterprise T1112 Modify Registry

Ferocious has the ability to add a Class ID in the current user Registry hive to enable persistence mechanisms.[1]

Enterprise T1120 Peripheral Device Discovery

Ferocious can run GET.WORKSPACE in Microsoft Excel to check if a mouse is present.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Ferocious has checked for AV software as part of its persistence process.[1]

Enterprise T1082 System Information Discovery

Ferocious can use GET.WORKSPACE in Microsoft Excel to determine the OS version of the compromised host.[1]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Ferocious can run anti-sandbox checks using the Microsoft Excel 4.0 function GET.WORKSPACE to determine the OS version, if there is a mouse present, and if the host is capable of playing sounds.[1]

Groups That Use This Software

ID Name References