AuTo Stealer is malware written in C++ has been used by SideCopy since at least December 2021 to target government agencies and personnel in India and Afghanistan.
|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols||
AuTo Stealer can use HTTP to communicate with its C2 servers.
|Enterprise||T1547||.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder||
AuTo Stealer can place malicious executables in a victim's AutoRun registry key or StartUp directory, depending on the AV product installed, to maintain persistence.
|Enterprise||T1059||.003||Command and Scripting Interpreter: Windows Command Shell||
AuTo Stealer can use
|Enterprise||T1005||Data from Local System||
AuTo Stealer can collect data such as PowerPoint files, Word documents, Excel files, PDF files, text files, database files, and image files from an infected machine.
|Enterprise||T1074||.001||Data Staged: Local Data Staging||
AuTo Stealer can store collected data from an infected host to a file named
|Enterprise||T1041||Exfiltration Over C2 Channel||
AuTo Stealer can exfiltrate data over actor-controlled C2 servers via HTTP or TCP.
|Enterprise||T1095||Non-Application Layer Protocol||
AuTo Stealer can use TCP to communicate with command and control servers.
|Enterprise||T1518||.001||Software Discovery: Security Software Discovery||
AuTo Stealer has the ability to collect information about installed AV products from an infected host.
|Enterprise||T1082||System Information Discovery||
AuTo Stealer has the ability to collect the hostname and OS information from an infected host.
|Enterprise||T1033||System Owner/User Discovery||
AuTo Stealer has the ability to collect the username from an infected host.