Denis
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .004 | Application Layer Protocol: DNS |
Denis has used DNS tunneling for C2 communications.(Citation: Cybereason Oceanlotus May 2017)(Citation: Securelist Denis April 2017)(Citation: Cybereason Cobalt Kitty 2017) |
| Enterprise | T1560 | .002 | Archive Collected Data: Archive via Library |
Denis compressed collected data using zlib.(Citation: Securelist Denis April 2017) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Denis has a version written in PowerShell.(Citation: Cybereason Cobalt Kitty 2017) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Denis can launch a remote shell to execute arbitrary commands on the victim’s machine.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017) |
||
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Denis encodes the data sent to the server in Base64.(Citation: Cybereason Cobalt Kitty 2017) |
| Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
Denis exploits a security vulnerability to load a fake DLL and execute its code.(Citation: Cybereason Oceanlotus May 2017) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Denis has a command to delete files from the victim’s machine.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017) |
| Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
Denis performed process hollowing through the API calls CreateRemoteThread, ResumeThread, and Wow64SetThreadContext.(Citation: Cybereason Cobalt Kitty 2017) |
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Denis ran multiple system checks, looking for processor and register characteristics, to evade emulation and analysis.(Citation: Cybereason Cobalt Kitty 2017) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0050 | APT32 |
(Citation: Cybereason Oceanlotus May 2017) (Citation: Cybereason Cobalt Kitty 2017) |
References
- Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
- Shulmin, A., Yunakovsky, S. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved November 5, 2018.
- Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.