Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент CHOPSTICK
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
CHOPSTICK
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

CHOPSTICK

CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. (Citation: FireEye APT28) (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) (Citation: DOJ GRU Indictment Jul 2018) It is tracked separately from the X-Agent for Android.
ID: S0023
Associated Software: SPLM Xagent X-Agent webhp Backdoor.SofacyX
Type: MALWARE
Platforms: Windows
Version: 2.2
Created: 31 May 2017
Last Modified: 14 Apr 2022

Associated Software Descriptions
Name Description
SPLM (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017)
Xagent (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017)
X-Agent (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017)
webhp (Citation: FireEye APT28 January 2017)
Backdoor.SofacyX (Citation: Symantec APT28 Oct 2018)

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Various implementations of CHOPSTICK communicate with C2 over HTTP.(Citation: ESET Sednit Part 2)
.003 Application Layer Protocol: Mail Protocols

Various implementations of CHOPSTICK communicate with C2 over SMTP and POP3.(Citation: ESET Sednit Part 2)

Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

CHOPSTICK can use a DGA for Fallback Channels, domains are generated by concatenating words from lists.(Citation: ESET Sednit 2017 Activity)
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

CHOPSTICK encrypts C2 communications with RC4.(Citation: ESET Sednit Part 2)
.002 Encrypted Channel: Asymmetric Cryptography

CHOPSTICK encrypts C2 communications with TLS.(Citation: ESET Sednit Part 2)

Enterprise T1056 .001 Input Capture: Keylogging

CHOPSTICK is capable of performing keylogging.(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 2)(Citation: DOJ GRU Indictment Jul 2018)
Enterprise T1090 .001 Proxy: Internal Proxy

CHOPSTICK used a proxy server between victims and the C2 server.(Citation: ESET Sednit Part 2)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

CHOPSTICK checks for antivirus and forensics software.(Citation: FireEye APT28)

Groups That Use This Software
ID Name References
G0007 APT28

(Citation: FireEye APT28) (Citation: Kaspersky Sofacy) (Citation: Securelist Sofacy Feb 2018) (Citation: Secureworks IRON TWILIGHT Active Measures March 2017)

References

  1. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  2. FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
  3. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  4. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  5. Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
  6. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  7. ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019.
  8. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  9. Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.
  10. Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  11. Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.