EvilGrab

EvilGrab is a malware family with common reconnaissance capabilities. It has been deployed by menuPass via malicious Microsoft Office documents as part of spearphishing campaigns. ^[1]

ID: S0152

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 14 December 2017

Last Modified: 23 March 2023

Techniques Used

Domain	ID		Name	Use
Enterprise	T1547	.001	启动或登录自动启动执行: Registry Run Keys / Startup Folder	EvilGrab adds a Registry Run key for ctfmon.exe to establish persistence.^[1]
Enterprise	T1113		屏幕捕获	EvilGrab has the capability to capture screenshots.^[1]
Enterprise	T1125		视频捕获	EvilGrab has the capability to capture video from a victim machine.^[1]
Enterprise	T1056	.001	输入捕获: Keylogging	EvilGrab has the capability to capture keystrokes.^[1]
Enterprise	T1123		音频捕获	EvilGrab has the capability to capture audio from a victim machine.^[1]

Groups That Use This Software

ID	Name	References
G0045	menuPass	^[1]

References

PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.

EvilGrab

Enterprise Layer

Techniques Used

Groups That Use This Software

References