Helminth
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Helminth can use HTTP for C2.(Citation: Palo Alto OilRig May 2016) |
.004 | Application Layer Protocol: DNS |
Helminth can use DNS for C2.(Citation: Palo Alto OilRig May 2016) |
||
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Helminth establishes persistence by creating a shortcut in the Start Menu folder.(Citation: Palo Alto OilRig May 2016) |
.009 | Boot or Logon Autostart Execution: Shortcut Modification |
Helminth establishes persistence by creating a shortcut.(Citation: Palo Alto OilRig May 2016) |
||
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
One version of Helminth uses a PowerShell script.(Citation: Palo Alto OilRig May 2016) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Helminth can provide a remote shell. One version of Helminth uses batch scripting.(Citation: Palo Alto OilRig May 2016) |
||
.005 | Command and Scripting Interpreter: Visual Basic |
One version of Helminth consists of VBScript scripts.(Citation: Palo Alto OilRig May 2016) |
||
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
For C2 over HTTP, Helminth encodes data with base64 and sends it via the "Cookie" field of HTTP requests. For C2 over DNS, Helminth converts ASCII characters into their hexadecimal values and sends the data in cleartext.(Citation: Palo Alto OilRig May 2016) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Helminth creates folders to store output from batch scripts prior to sending the information to its C2 server.(Citation: Palo Alto OilRig May 2016) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Helminth encrypts data sent to its C2 server over HTTP with RC4.(Citation: Palo Alto OilRig May 2016) |
Enterprise | T1056 | .001 | Input Capture: Keylogging |
The executable version of Helminth has a module to log keystrokes.(Citation: Palo Alto OilRig May 2016) |
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
The Helminth config file is encrypted with RC4.(Citation: Palo Alto OilRig May 2016) |
Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups |
Helminth has checked the local administrators group.(Citation: Unit 42 Playbook Dec 2017) |
.002 | Permission Groups Discovery: Domain Groups |
Helminth has checked for the domain admin group and Exchange Trusted Subsystem groups using the commands |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Helminth has used a scheduled task for persistence.(Citation: ClearSky OilRig Jan 2017) |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Helminth samples have been signed with legitimate, compromised code signing certificates owned by software company AI Squared.(Citation: ClearSky OilRig Jan 2017) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0049 | OilRig |
(Citation: Palo Alto OilRig May 2016) (Citation: FireEye APT34 Webinar Dec 2017) (Citation: Crowdstrike Helix Kitten Nov 2018) |
References
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
- Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
- Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.