CHOPSTICK
Associated Software Descriptions |
|
Name | Description |
---|---|
SPLM | (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) |
Xagent | (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) |
X-Agent | (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) |
webhp | (Citation: FireEye APT28 January 2017) |
Backdoor.SofacyX | (Citation: Symantec APT28 Oct 2018) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Various implementations of CHOPSTICK communicate with C2 over HTTP.(Citation: ESET Sednit Part 2) |
.003 | Application Layer Protocol: Mail Protocols |
Various implementations of CHOPSTICK communicate with C2 over SMTP and POP3.(Citation: ESET Sednit Part 2) |
||
Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms |
CHOPSTICK can use a DGA for Fallback Channels, domains are generated by concatenating words from lists.(Citation: ESET Sednit 2017 Activity) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
CHOPSTICK encrypts C2 communications with RC4.(Citation: ESET Sednit Part 2) |
.002 | Encrypted Channel: Asymmetric Cryptography |
CHOPSTICK encrypts C2 communications with TLS.(Citation: ESET Sednit Part 2) |
||
Enterprise | T1056 | .001 | Input Capture: Keylogging |
CHOPSTICK is capable of performing keylogging.(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 2)(Citation: DOJ GRU Indictment Jul 2018) |
Enterprise | T1027 | .011 | Obfuscated Files or Information: Fileless Storage |
CHOPSTICK may store RC4 encrypted configuration information in the Windows Registry.(Citation: FireEye APT28) |
Enterprise | T1090 | .001 | Proxy: Internal Proxy |
CHOPSTICK used a proxy server between victims and the C2 server.(Citation: ESET Sednit Part 2) |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
CHOPSTICK checks for antivirus and forensics software.(Citation: FireEye APT28) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0007 | APT28 |
(Citation: FireEye APT28) (Citation: Securelist Sofacy Feb 2018) (Citation: Kaspersky Sofacy) (Citation: Secureworks IRON TWILIGHT Active Measures March 2017) |
References
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
- Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
- Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
- Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
- Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
- Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.