BADNEWS
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
BADNEWS establishes a backdoor over HTTP.(Citation: PaloAlto Patchwork Mar 2018) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
BADNEWS installs a registry Run key to establish persistence.(Citation: Forcepoint Monsoon) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
BADNEWS is capable of executing commands via cmd.exe.(Citation: Forcepoint Monsoon)(Citation: TrendMicro Patchwork Dec 2017) |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
BADNEWS encodes C2 traffic with base64.(Citation: Forcepoint Monsoon)(Citation: PaloAlto Patchwork Mar 2018)(Citation: TrendMicro Patchwork Dec 2017) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
BADNEWS copies documents under 15MB found on the victim system to is the user's |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
BADNEWS encrypts C2 data with a ROR by 3 and an XOR by 0x23.(Citation: Forcepoint Monsoon)(Citation: TrendMicro Patchwork Dec 2017) |
| Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
BADNEWS typically loads its DLL file into a legitimate signed Java or VMware executable.(Citation: Forcepoint Monsoon)(Citation: PaloAlto Patchwork Mar 2018) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
When it first starts, BADNEWS spawns a new thread to log keystrokes.(Citation: Forcepoint Monsoon)(Citation: PaloAlto Patchwork Mar 2018)(Citation: TrendMicro Patchwork Dec 2017) |
| Enterprise | T1036 | .001 | Masquerading: Invalid Code Signature |
BADNEWS is sometimes signed with an invalid Authenticode certificate in an apparent effort to make it look more legitimate.(Citation: TrendMicro Patchwork Dec 2017) |
| .005 | Masquerading: Match Legitimate Name or Location |
BADNEWS attempts to hide its payloads using legitimate filenames.(Citation: PaloAlto Patchwork Mar 2018) |
||
| Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
BADNEWS has a command to download an .exe and use process hollowing to inject it into a new process.(Citation: Forcepoint Monsoon)(Citation: TrendMicro Patchwork Dec 2017) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
BADNEWS creates a scheduled task to establish by executing a malicious payload every subsequent minute.(Citation: PaloAlto Patchwork Mar 2018) |
| Enterprise | T1102 | .001 | Web Service: Dead Drop Resolver |
BADNEWS collects C2 information via a dead drop resolver.(Citation: Forcepoint Monsoon)(Citation: PaloAlto Patchwork Mar 2018)(Citation: TrendMicro Patchwork Dec 2017) |
| .002 | Web Service: Bidirectional Communication |
BADNEWS can use multiple C2 channels, including RSS feeds, Github, forums, and blogs.(Citation: Forcepoint Monsoon)(Citation: PaloAlto Patchwork Mar 2018)(Citation: TrendMicro Patchwork Dec 2017) |
||
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0040 | Patchwork |
(Citation: Forcepoint Monsoon) (Citation: TrendMicro Patchwork Dec 2017) |
References
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
- Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
- Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.