{"description": "Enterprise techniques used by InvisibleFerret, ATT&CK software S1245 (v1.0)", "name": "InvisibleFerret (S1245)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has queried the victim device using Python scripts to obtain the User and Hostname.(Citation: Recorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has used HTTP for C2 communications.(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has used 7zip, RAR and zip files to archive collected data for exfiltration.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has established persistence within Windows devices by creating a .bat file \u201cqueue.bat\u201d within the Startup folder to run a Python script.(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.013", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has established persistence within GNOME-based Linux environments by placing entries within `.desktop` that run on Startup.(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1115", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has stolen data from the clipboard using the Python project \u201cpyperclip\u201d.(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023) [InvisibleFerret](https://attack.mitre.org/software/S1245) has also captured clipboard contents during copy and paste operations.(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has utilized a PowerShell script created in the victim\u2019s home directory named \u201cconf.ps1\u201d that is used to modify configuration files for AnyDesk remote services.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) is written in Python and has used Python scripts for execution.(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: Recorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025)(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.001", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has established persistence using LaunchAgents on macOS that run on Startup using a file named \u201ccom.avatar.update.wake.plist\u201d.(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has stolen login data, autofill data, cryptocurrency wallets, and payment information saved in web browsers such as Chrome, Brave, Opera, Yandex and Edge, to include versions affiliated with major operating systems on Windows, Linux, and macOS.(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025) [InvisibleFerret](https://attack.mitre.org/software/S1245) has also leveraged the command `ssh_zcp` to copy browser data to include extensions and cryptocurrency wallet data.(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555.005", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has utilized the command `ssh_zcp` to exfiltrate data from browser extensions and password managers via Telegram and FTP.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has collected data utilizing a script that contained a list of excluded files and directory names and naming patterns of interest such as environment and configuration files, documents, spreadsheets, and other files that contained the words secret, wallet, private, and password.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has staged data in consolidated folders prior to exfiltration.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has decoded XOR-encrypted and Base-64-encoded payloads prior to execution.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1048", "showSubtechniques": true}, {"techniqueID": "T1048.003", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has used FTP to exfiltrate files and directories using the command `ssh_upload` which contains with six subcommands of `.sdira`, `sdir`, `sfile`, `sfinda`, `sfindr` and `sfind` that had varying functions.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024) [InvisibleFerret](https://attack.mitre.org/software/S1245) has exfiltrated stolen files and data to the C2 servers over ports 1224, 2245 and 8637.(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has used HTTP communications to the \u201c/Uploads\u201d URI for file exfiltration.(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1567", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has leveraged Telegram chat to upload stolen data using the Telegram API with a bot token.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has identified specific directories and files for exfiltration using the `ssh_upload` command which contains subcommands of `.sdira`, `sdir`, `sfile`, `sfinda`, `sfindr`, `sfind`.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024) [InvisibleFerret](https://attack.mitre.org/software/S1245) also has the capability to scan and upload files of interest from multiple OS systems through the use of scripts that check file names, file extensions, and avoids certain path names.(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023) [InvisibleFerret](https://attack.mitre.org/software/S1245) has utilized the `findstr` on Windows or the macOS `find` commands to search for files of interest.(Citation: PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1657", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has searched the victim device credentials and files commonly associated with cryptocurrency wallets.(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has executed Python instances of the browser module \u201c.n2/bow\u201d utilizing the `CREATE_NO_WINDOW` process creation flag.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has downloaded \u201cAnyDesk.exe\u201d into the user\u2019s home directory from the C2 server when checks for the service fail to identify its presence in the victim environment.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025) [InvisibleFerret](https://attack.mitre.org/software/S1245) has also been configured to download additional payloads using a command which calls to the /bow URI.(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has collected mouse and keyboard events using \u201cpyWinhook\u201d.(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has conducted keylogging using the Python project \u201cpyWinHook\u201d and \"Pyhook\".(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023) [InvisibleFerret](https://attack.mitre.org/software/S1245) has also captured keylogging thread checks for changes in an active window and key presses.(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1095", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has established a connection with the C2 server over TCP traffic.(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023) [InvisibleFerret](https://attack.mitre.org/software/S1245) has also created a TCP reverse shell communicating via a socket connection over ports 1245, 80, 2245, 3001, and 5000.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has been observed utilizing HTTP communications to the C2 server over ports 1224, 2245 and 8637.(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has utilized the XOR and Base64 encoding for each of its modules.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025) [InvisibleFerret](https://attack.mitre.org/software/S1245) has also obfuscated files with a combination of zlib, Base64 and reverse string order.(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024) [InvisibleFerret](https://attack.mitre.org/software/S1245) has also utilized the XOR and Base64 encoding some of its Python scripts.(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has the capability to query installed programs and running processes.(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024) [InvisibleFerret](https://attack.mitre.org/software/S1245) has also identified running processes using the Python project \u201cpsutil\u201d.(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1219", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has utilized remote access software including AnyDesk client through the \u201cadc\u201d module.(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023) [InvisibleFerret](https://attack.mitre.org/software/S1245) has also downloaded the AnyDesk client should it not already exist on the compromised host by searching for `C:/Program Files(x86)/AnyDesk/AnyDesk.exe`.(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1679", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has the capability to scan for file names, file extensions, and avoids pre-designated path names and file types.(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1489", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has terminated Chrome and Brave browsers using the `taskkill` command on Windows and the `killall` command on other systems such as Linux and macOS.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025) [InvisibleFerret](https://attack.mitre.org/software/S1245) has also utilized it\u2019s `ssh_kill` command to terminate Chrome and Brave browser processes.(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has gathered installed programs and running processes.(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has collected OS type, hostname and system version through the \"pay\" module.(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025) [InvisibleFerret](https://attack.mitre.org/software/S1245) has also queried the victim device using Python scripts to obtain the User and Hostname.(Citation: Recorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has collected the internal IP address, IP geolocation information of the infected host and sends the data to a C2 server.(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023) [InvisibleFerret](https://attack.mitre.org/software/S1245) has also leveraged the \u201cpay\u201d module to obtain region name, country, city, zip code, ISP, latitude and longitude using \u201chttp://ip-api.com/json\u201d.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has collected the local IP address, and external IP.(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[InvisibleFerret](https://attack.mitre.org/software/S1245) has identified the user\u2019s UUID and username through the \"pay\" module.(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by InvisibleFerret", "color": "#66b1ff"}]}