LP-Notes
LP-Notes is a C/C++ Windows credential stealer used by MuddyWater. LP-Notes was named after the lp-notes.txt file that is used to store stolen credentials.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1134 | .001 | Access Token Manipulation: Token Impersonation/Theft |
LP-Notes has impersonated the security context of the taskhostw.exe process via the |
| Enterprise | T1560 | Archive Collected Data |
LP-Notes has encrypted collected credentials using AES-CBC from the CNG API and the key ED15C8344B45DAED1E0578F8BC1A32411812C61F4CB45D89B107287DE0E09FFC |
|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
LP-Notes has been downloaded and executed by PowerShell’s |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
LP-Notes has stored collected credentials in |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
LP-Notes has decrypted strings with lengths ranging from 15 to 19 characters using the same decryption key for each string.[1] |
|
| Enterprise | T1056 | .002 | Input Capture: GUI Input Capture |
LP-Notes has displayed a fake Windows Security dialog box to prompt for Windows credentials.[1] |
| Enterprise | T1106 | Native API |
LP-Notes has used the |
|
| Enterprise | T1027 | .007 | Obfuscated Files or Information: Dynamic API Resolution |
LP-Notes has dynamically resolved API functions during the C runtime startup.[1] |
| .013 | Obfuscated Files or Information: Encrypted/Encoded File |
LP-Notes has used a custom addition-based function and a string stacking function for string encryption.[1] |
||
| Enterprise | T1057 | Process Discovery | ||
| Enterprise | T1078 | Valid Accounts |
LP-Notes has used stolen Windows credentials to log in as the users.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0069 | MuddyWater |
MuddyWater has used LP-Notes during operations.[1]  |