AuTo Stealer

AuTo Stealer is malware written in C++ has been used by SideCopy since at least December 2021 to target government agencies and personnel in India and Afghanistan.[1]

ID: S1029
Platforms: Windows
Version: 1.0
Created: 07 August 2022
Last Modified: 24 August 2022

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

AuTo Stealer can use HTTP to communicate with its C2 servers.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

AuTo Stealer can place malicious executables in a victim's AutoRun registry key or StartUp directory, depending on the AV product installed, to maintain persistence.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

AuTo Stealer can use cmd.exe to execute a created batch file.[1]

Enterprise T1005 Data from Local System

AuTo Stealer can collect data such as PowerPoint files, Word documents, Excel files, PDF files, text files, database files, and image files from an infected machine.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

AuTo Stealer can store collected data from an infected host to a file named Hostname_UserName.txt prior to exfiltration.[1]

Enterprise T1041 Exfiltration Over C2 Channel

AuTo Stealer can exfiltrate data over actor-controlled C2 servers via HTTP or TCP.[1]

Enterprise T1095 Non-Application Layer Protocol

AuTo Stealer can use TCP to communicate with command and control servers.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

AuTo Stealer has the ability to collect information about installed AV products from an infected host.[1]

Enterprise T1082 System Information Discovery

AuTo Stealer has the ability to collect the hostname and OS information from an infected host.[1]

Enterprise T1033 System Owner/User Discovery

AuTo Stealer has the ability to collect the username from an infected host.[1]

Groups That Use This Software

ID Name References
G1008 SideCopy