(Palo Alto) The OutSteel tool is a simple document stealer. It searches for potentially sensitive documents based on their file type and uploads the files to a remote server. The use of OutSteel may suggest that this threat group’s primary goals involve data collection on government organizations and companies involved with critical infrastructure.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2022-02-16 by Telsy Research Team from Telsy
Tool: OutSteel
Names: OutSteel
Description: (Palo Alto) The OutSteel tool is a simple document stealer. It searches for potentially sensitive documents based on their file type and uploads the files to a remote server. The use of OutSteel may suggest that this threat group’s primary goals involve data collection on government organizations and companies involved with critical infrastructure.
Category: Malware
Type: Info stealer
Information: https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/
Mitre-attack: https://attack.mitre.org/software/S1017/
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.outsteel
Last-card-change: 2022-12-30
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1566.001 PHISHING : SPEARPHISHING ATTACHMENT outsteel has been distributed as a malicious attachment within a spearphishing email. T1566.002 PHISHING : SPEARPHISHING LINK outsteel has been distributed through malicious links contained within spearphishing emails. | T1059.003 COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL outsteel has used cmd.exe to scan a compromised host for specific file extensions. T1204.001 USER EXECUTION : MALICIOUS LINK outsteel has relied on a user to click a malicious link within a spearphishing email. T1204.002 USER EXECUTION : MALICIOUS FILE outsteel has relied on a user to execute a malicious attachment delivered via spearphishing. | T1070.004 INDICATOR REMOVAL : FILE DELETION outsteel can delete itself following the successful execution of a follow-on payload. | T1083 FILE AND DIRECTORY DISCOVERY outsteel can search for specific file extensions, including zipped files. | T1119 AUTOMATED COLLECTION outsteel can automatically scan for and collect files with specific extensions. | T1041 EXFILTRATION OVER C2 CHANNEL outsteel can upload files from a compromised host over its c2 channel. |