Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Helminth

Helminth is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable. (Citation: Palo Alto OilRig May 2016)
ID: S0170
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 16 Jan 2018
Last Modified: 11 Apr 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Helminth can use HTTP for C2.(Citation: Palo Alto OilRig May 2016)

.004 Application Layer Protocol: DNS

Helminth can use DNS for C2.(Citation: Palo Alto OilRig May 2016)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Helminth establishes persistence by creating a shortcut in the Start Menu folder.(Citation: Palo Alto OilRig May 2016)

.009 Boot or Logon Autostart Execution: Shortcut Modification

Helminth establishes persistence by creating a shortcut.(Citation: Palo Alto OilRig May 2016)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

One version of Helminth uses a PowerShell script.(Citation: Palo Alto OilRig May 2016)

.003 Command and Scripting Interpreter: Windows Command Shell

Helminth can provide a remote shell. One version of Helminth uses batch scripting.(Citation: Palo Alto OilRig May 2016)

.005 Command and Scripting Interpreter: Visual Basic

One version of Helminth consists of VBScript scripts.(Citation: Palo Alto OilRig May 2016)

Enterprise T1132 .001 Data Encoding: Standard Encoding

For C2 over HTTP, Helminth encodes data with base64 and sends it via the "Cookie" field of HTTP requests. For C2 over DNS, Helminth converts ASCII characters into their hexadecimal values and sends the data in cleartext.(Citation: Palo Alto OilRig May 2016)

Enterprise T1074 .001 Data Staged: Local Data Staging

Helminth creates folders to store output from batch scripts prior to sending the information to its C2 server.(Citation: Palo Alto OilRig May 2016)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Helminth encrypts data sent to its C2 server over HTTP with RC4.(Citation: Palo Alto OilRig May 2016)

Enterprise T1056 .001 Input Capture: Keylogging

The executable version of Helminth has a module to log keystrokes.(Citation: Palo Alto OilRig May 2016)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

The Helminth config file is encrypted with RC4.(Citation: Palo Alto OilRig May 2016)

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

Helminth has checked the local administrators group.(Citation: Unit 42 Playbook Dec 2017)

.002 Permission Groups Discovery: Domain Groups

Helminth has checked for the domain admin group and Exchange Trusted Subsystem groups using the commands net group Exchange Trusted Subsystem /domain and net group domain admins /domain.(Citation: Unit 42 Playbook Dec 2017)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Helminth has used a scheduled task for persistence.(Citation: ClearSky OilRig Jan 2017)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Helminth samples have been signed with legitimate, compromised code signing certificates owned by software company AI Squared.(Citation: ClearSky OilRig Jan 2017)

Groups That Use This Software

ID Name References
G0049 OilRig

(Citation: Palo Alto OilRig May 2016) (Citation: FireEye APT34 Webinar Dec 2017) (Citation: Crowdstrike Helix Kitten Nov 2018)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.