PACEMAKER

PACEMAKER is a credential stealer that was used by APT5 as early as 2020 including activity against US Defense Industrial Base (DIB) companies.^[1]

ID: S1109

ⓘ

Type: MALWARE

ⓘ

Platforms: Network, Linux

Version: 1.0

Created: 08 February 2024

Last Modified: 10 April 2024

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.004	命令与脚本解释器: Unix Shell	PACEMAKER can use a simple bash script for execution.^[1]
Enterprise	T1003	.007	操作系统凭证转储: Proc Filesystem	PACEMAKER has the ability to extract credentials from OS memory.^[1]
Enterprise	T1074	.001	数据分段: Local Data Staging	PACEMAKER has written extracted data to `tmp/dsserver-check.statementcounters`.^[1]
Enterprise	T1083		文件和目录发现	PACEMAKER can parse `/proc/"process_name"/cmdline` to look for the string `dswsd` within the command line.^[1]
Enterprise	T1119		自动化收集	PACEMAKER can enter a loop to read `/proc/` entries every 2 seconds in order to read a target application's memory.^[1]
Enterprise	T1055	.008	进程注入: Ptrace System Calls	PACEMAKER can use PTRACE to attach to a targeted process to read process memory.^[1]

ID	Name	References
G1023	APT5	^[1]