1. Home
  2. Software
  3. LitePower

LitePower

LitePower is a downloader and second stage malware that has been used by WIRTE since at least 2021.[1]

ID: S0680
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 02 February 2022
Last Modified: 16 April 2022
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

LitePower can use HTTP and HTTPS for C2 communications.[1]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

LitePower can use a PowerShell script to execute commands.[1]
Enterprise T1041 Exfiltration Over C2 Channel

LitePower can send collected data, including screenshots, over its C2 channel.[1]
Enterprise T1105 Ingress Tool Transfer

LitePower has the ability to download payloads containing system commands to a compromised host.[1]
Enterprise T1106 Native API

LitePower can use various API calls.[1]
Enterprise T1012 Query Registry

LitePower can query the Registry for keys added to execute COM hijacking.[1]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

LitePower can create a scheduled task to enable persistence mechanisms.[1]
Enterprise T1113 Screen Capture

LitePower can take system screenshots and save them to %AppData%.[1]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

LitePower can identify installed AV software.[1]
Enterprise T1082 System Information Discovery

LitePower has the ability to list local drives and enumerate the OS architecture.[1]
Enterprise T1033 System Owner/User Discovery

LitePower can determine if the current user has admin privileges.[1]

Groups That Use This Software

ID Name References
G0090 WIRTE

[1]

References

  1. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.