OutSteel is a file uploader and document stealer developed with the scripting language AutoIT that has been used by Ember Bear since at least March 2021.
|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols|
OutSteel can automatically scan for and collect files with specific extensions.
OutSteel can automatically upload collected files to its C2 server.
|Enterprise||T1059||.003||Command and Scripting Interpreter: Windows Command Shell||
OutSteel has used
|Enterprise||T1005||Data from Local System||
OutSteel can collect information from a compromised host.
|Enterprise||T1041||Exfiltration Over C2 Channel||
OutSteel can upload files from a compromised host over its C2 channel.
|Enterprise||T1083||File and Directory Discovery||
OutSteel can search for specific file extensions, including zipped files.
|Enterprise||T1070||.004||Indicator Removal: File Deletion||
OutSteel can delete itself following the successful execution of a follow-on payload.
|Enterprise||T1105||Ingress Tool Transfer|
|Enterprise||T1566||.001||Phishing: Spearphishing Attachment||
OutSteel has been distributed as a malicious attachment within a spearphishing email.
|.002||Phishing: Spearphishing Link||
OutSteel has been distributed through malicious links contained within spearphishing emails.
OutSteel can identify running processes on a compromised host.
|Enterprise||T1204||.001||User Execution: Malicious Link||
OutSteel has relied on a user to click a malicious link within a spearphishing email.
|.002||User Execution: Malicious File||
OutSteel has relied on a user to execute a malicious attachment delivered via spearphishing.