PACEMAKER is a credential stealer that was used by APT5 as early as 2020 including activity against US Defense Industrial Base (DIB) companies.[1]

ID: S1109
Platforms: Network, Linux
Version: 1.0
Created: 08 February 2024
Last Modified: 10 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1119 Automated Collection

PACEMAKER can enter a loop to read /proc/ entries every 2 seconds in order to read a target application's memory.[1]

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

PACEMAKER can use a simple bash script for execution.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

PACEMAKER has written extracted data to tmp/dsserver-check.statementcounters.[1]

Enterprise T1083 File and Directory Discovery

PACEMAKER can parse /proc/"process_name"/cmdline to look for the string dswsd within the command line.[1]

Enterprise T1003 .007 OS Credential Dumping: Proc Filesystem

PACEMAKER has the ability to extract credentials from OS memory.[1]

Enterprise T1055 .008 Process Injection: Ptrace System Calls

PACEMAKER can use PTRACE to attach to a targeted process to read process memory.[1]

Groups That Use This Software

ID Name References
G1023 APT5