Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Prikormka

Prikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008. (Citation: ESET Operation Groundbait)
ID: S0113
Type: MALWARE
Platforms: Windows
Version: 1.4
Created: 31 May 2017
Last Modified: 11 Apr 2024

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Prikormka adds itself to a Registry Run key with the name guidVGA or guidVSA.(Citation: ESET Operation Groundbait)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

A module in Prikormka gathers logins and passwords stored in applications on the victims, including Google Chrome, Mozilla Firefox, and several other browsers.(Citation: ESET Operation Groundbait)

Enterprise T1132 .001 Data Encoding: Standard Encoding

Prikormka encodes C2 traffic with Base64.(Citation: ESET Operation Groundbait)

Enterprise T1074 .001 Data Staged: Local Data Staging

Prikormka creates a directory, %USERPROFILE%\AppData\Local\SKC\, which is used to store collected log files.(Citation: ESET Operation Groundbait)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Prikormka encrypts some C2 traffic with the Blowfish cipher.(Citation: ESET Operation Groundbait)

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Prikormka uses DLL search order hijacking for persistence by saving itself as ntshrui.dll to the Windows directory so it will load before the legitimate ntshrui.dll saved in the System32 subdirectory.(Citation: ESET Operation Groundbait)

Enterprise T1070 .004 Indicator Removal: File Deletion

After encrypting its own log files, the log encryption module in Prikormka deletes the original, unencrypted files from the host.(Citation: ESET Operation Groundbait)

Enterprise T1056 .001 Input Capture: Keylogging

Prikormka contains a keylogger module that collects keystrokes and the titles of foreground windows.(Citation: ESET Operation Groundbait)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Some resources in Prikormka are encrypted with a simple XOR operation or encoded with Base64.(Citation: ESET Operation Groundbait)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

A module in Prikormka collects information from the victim about installed anti-virus software.(Citation: ESET Operation Groundbait)

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Prikormka uses rundll32.exe to load its DLL.(Citation: ESET Operation Groundbait)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.