T9000
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method |
T9000 encrypts collected data using a single byte XOR key.(Citation: Palo Alto T9000 Feb 2016) |
| Enterprise | T1546 | .010 | Event Triggered Execution: AppInit DLLs |
If a victim meets certain criteria, T9000 uses the AppInit_DLL functionality to achieve persistence by ensuring that every user mode process that is spawned will load its malicious DLL, ResN32.dll. It does this by creating the following Registry keys: |
| Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
During the T9000 installation process, it drops a copy of the legitimate Microsoft binary igfxtray.exe. The executable contains a side-loading weakness which is used to load a portion of the malware.(Citation: Palo Alto T9000 Feb 2016) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
T9000 performs checks for various antivirus and security products during installation.(Citation: Palo Alto T9000 Feb 2016) |
References
- Moran, N. and Lanstein, A.. (2014, March 25). Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370. Retrieved April 15, 2016.
- Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.