CORESHELL
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| Sofacy | This designation has been used in reporting both to refer to the threat group (APT28) and its associated malware.(Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)(Citation: Securelist Sofacy Feb 2018) |
| SOURFACE | (Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)(Citation: Securelist Sofacy Feb 2018) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
CORESHELL can communicate over HTTP for C2.(Citation: FireEye APT28)(Citation: Microsoft SIR Vol 19) |
| .003 | Application Layer Protocol: Mail Protocols |
CORESHELL can communicate over SMTP and POP3 for C2.(Citation: FireEye APT28)(Citation: Microsoft SIR Vol 19) |
||
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
CORESHELL has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder.(Citation: Microsoft SIR Vol 19) |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
CORESHELL C2 messages are Base64-encoded.(Citation: FireEye APT28) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
CORESHELL C2 messages are encrypted with custom stream ciphers using six-byte or eight-byte keys.(Citation: FireEye APT28) |
| Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
CORESHELL contains unused machine instructions in a likely attempt to hinder analysis.(Citation: FireEye APT28) |
| Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
CORESHELL is installed via execution of rundll32 with an export named "init" or "InitW."(Citation: Microsoft SIR Vol 19) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0007 | APT28 |
(Citation: FireEye APT28) (Citation: Secureworks IRON TWILIGHT Active Measures March 2017) |
References
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
- Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
- Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
- Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.