JHUHUGIT
Associated Software Descriptions |
|
Name | Description |
---|---|
JKEYSKW | (Citation: FireEye APT28 January 2017) |
GAMEFISH | (Citation: FireEye APT28 January 2017) |
Seduploader | (Citation: FireEye APT28 January 2017)(Citation: Talos Seduploader Oct 2017) |
SofacyCarberp | (Citation: Unit 42 Sofacy Feb 2018) |
Sednit | This designation has been used in reporting both to refer to the threat group (APT28) and its associated malware.(Citation: FireEye APT28 January 2017) |
Trojan.Sofacy | This designation has been used in reporting both to refer to the threat group (Skeleton Key) and its associated malware.(Citation: Symantec APT28 Oct 2018) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
JHUHUGIT variants have communicated with C2 servers over HTTP and HTTPS.(Citation: ESET Sednit Part 1)(Citation: Unit 42 Sofacy Feb 2018)(Citation: Unit 42 Playbook Dec 2017) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
JHUHUGIT has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process.(Citation: ESET Sednit Part 1) |
Enterprise | T1037 | .001 | Boot or Logon Initialization Scripts: Logon Script (Windows) |
JHUHUGIT has registered a Windows shell script under the Registry key |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
JHUHUGIT uses a .bat file to execute a .dll.(Citation: Talos Seduploader Oct 2017) |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
JHUHUGIT has registered itself as a service to establish persistence.(Citation: ESET Sednit Part 1) |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
A JHUHUGIT variant encodes C2 POST data base64.(Citation: Unit 42 Playbook Dec 2017) |
Enterprise | T1546 | .015 | Event Triggered Execution: Component Object Model Hijacking |
JHUHUGIT has used COM hijacking to establish persistence by hijacking a class named MMDeviceEnumerator and also by registering the payload as a Shell Icon Overlay handler COM object ({3543619C-D563-43f7-95EA-4DA7E1CC396A}).(Citation: ESET Sednit Part 1)(Citation: Talos Seduploader Oct 2017) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
The JHUHUGIT dropper can delete itself from the victim. Another JHUHUGIT variant has the capability to delete specified files.(Citation: ESET Sednit Part 1)(Citation: Unit 42 Sofacy Feb 2018) |
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Many strings in JHUHUGIT are obfuscated with a XOR algorithm.(Citation: F-Secure Sofacy 2015)(Citation: ESET Sednit Part 1)(Citation: Talos Seduploader Oct 2017) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
JHUHUGIT has registered itself as a scheduled task to run each time the current user logs in.(Citation: ESET Sednit Part 1)(Citation: ESET Sednit July 2015) |
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
JHUHUGIT is executed using rundll32.exe.(Citation: F-Secure Sofacy 2015)(Citation: Talos Seduploader Oct 2017) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0007 | APT28 |
(Citation: FireEye APT28 January 2017) (Citation: Kaspersky Sofacy) (Citation: Securelist Sofacy Feb 2018) (Citation: US District Court Indictment GRU Oct 2018) (Citation: Secureworks IRON TWILIGHT Active Measures March 2017) |
References
- ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
- F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016.
- FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
- Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
- Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
- Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
- Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
- ESET Research. (2015, July 10). Sednit APT Group Meets Hacking Team. Retrieved March 1, 2017.
- Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
- Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
- Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.