1. Home
  2. Software
  3. Micropsia

Micropsia

Micropsia is a remote access tool written in Delphi.[1][2]

ID: S0339
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 29 January 2019
Last Modified: 04 October 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI.[1][2]
Enterprise T1547 .009 启动或登录自动启动执行: Shortcut Modification

Micropsia creates a shortcut to maintain persistence.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Micropsia creates a command-line shell using cmd.exe.[2]
Enterprise T1113 屏幕捕获

Micropsia takes screenshots every 90 seconds by calling the Gdi32.BitBlt API.[2]
Enterprise T1071 .001 应用层协议: Web Protocols

Micropsia uses HTTP and HTTPS for C2 network communications.[1][2]
Enterprise T1560 .001 归档收集数据: Archive via Utility

Micropsia creates a RAR archive based on collected files on the victim's machine.[2]
Enterprise T1083 文件和目录发现

Micropsia can perform a recursive directory listing for all volume drives available on the victim's machine and can also fetch specific files by their paths.[2]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

Micropsia obfuscates the configuration with a custom Base64 and XOR.[1][2]
Enterprise T1082 系统信息发现

Micropsia gathers the hostname and OS version from the victim’s machine.[1][2]
Enterprise T1033 系统所有者/用户发现

Micropsia collects the username from the victim’s machine.[1]
Enterprise T1119 自动化收集

Micropsia executes an RAR tool to recursively archive files based on a predefined list of file extensions (.xls, .xlsx, .csv, .odt, .doc, .docx, .ppt, .pptx, .pdf, .mdb, .accdb, .accde, *.txt).[2]
Enterprise T1518 .001 软件发现: Security Software Discovery

Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI.[1][2]
Enterprise T1105 输入工具传输

Micropsia can download and execute an executable from the C2 server.[1][2]
Enterprise T1056 .001 输入捕获: Keylogging

Micropsia has keylogging capabilities.[2]
Enterprise T1564 .001 隐藏伪装: Hidden Files and Directories

Micropsia creates a new hidden directory to store all components' outputs in a dedicated sub-folder for each.[2]
Enterprise T1123 音频捕获

Micropsia can perform microphone recording.[2]

Groups That Use This Software

ID Name References
G1028 APT-C-23

References

  1. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
  1. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.