ADVSTORESHELL
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
ADVSTORESHELL connects to port 80 of a C2 server using Wininet API. Data is exchanged via HTTP POSTs.(Citation: Kaspersky Sofacy) |
| Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method |
ADVSTORESHELL compresses output data generated by command execution with a custom implementation of the Lempel–Ziv–Welch (LZW) algorithm.(Citation: ESET Sednit Part 2) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
ADVSTORESHELL achieves persistence by adding itself to the |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
ADVSTORESHELL can create a remote shell and run a given command.(Citation: ESET Sednit Part 2)(Citation: Bitdefender APT28 Dec 2015) |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding.(Citation: Kaspersky Sofacy) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
ADVSTORESHELL stores output from command execution in a .dat file in the %TEMP% directory.(Citation: ESET Sednit Part 2) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
A variant of ADVSTORESHELL encrypts some C2 with 3DES.(Citation: Bitdefender APT28 Dec 2015) |
| .002 | Encrypted Channel: Asymmetric Cryptography |
A variant of ADVSTORESHELL encrypts some C2 with RSA.(Citation: Bitdefender APT28 Dec 2015) |
||
| Enterprise | T1546 | .015 | Event Triggered Execution: Component Object Model Hijacking |
Some variants of ADVSTORESHELL achieve persistence by registering the payload as a Shell Icon Overlay handler COM object.(Citation: ESET Sednit Part 2) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
ADVSTORESHELL can delete files and directories.(Citation: ESET Sednit Part 2) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
ADVSTORESHELL can perform keylogging.(Citation: ESET Sednit Part 2)(Citation: Bitdefender APT28 Dec 2015) |
| Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
ADVSTORESHELL has used rundll32.exe in a Registry value to establish persistence.(Citation: Bitdefender APT28 Dec 2015) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0007 | APT28 |
(Citation: Kaspersky Sofacy) (Citation: Securelist Sofacy Feb 2018) |
References
- Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
- Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.