ZxShell
Associated Software Descriptions |
|
Name | Description |
---|---|
Sensocode | (Citation: Talos ZxShell Oct 2014) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1134 | .002 | Access Token Manipulation: Create Process with Token |
ZxShell has a command called RunAs, which creates a new process as another user or process context.(Citation: Talos ZxShell Oct 2014) |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
ZxShell has used HTTP for C2 connections.(Citation: Talos ZxShell Oct 2014) |
.002 | Application Layer Protocol: File Transfer Protocols |
ZxShell has used FTP for C2 connections.(Citation: Talos ZxShell Oct 2014) |
||
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
ZxShell can launch a reverse command shell.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014)(Citation: Secureworks BRONZEUNION Feb 2019) |
Enterprise | T1136 | .001 | Create Account: Local Account |
ZxShell has a feature to create local user accounts.(Citation: Talos ZxShell Oct 2014) |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
ZxShell can create a new service using the service parser function ProcessScCommand.(Citation: Talos ZxShell Oct 2014) |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
ZxShell can kill AV products' processes.(Citation: Talos ZxShell Oct 2014) |
.004 | Impair Defenses: Disable or Modify System Firewall |
ZxShell can disable the firewall by modifying the registry key |
||
Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
ZxShell has a command to clear system event logs.(Citation: Talos ZxShell Oct 2014) |
.004 | Indicator Removal: File Deletion |
ZxShell can delete files from the system.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014) |
||
Enterprise | T1056 | .001 | Input Capture: Keylogging |
ZxShell has a feature to capture a remote computer's keystrokes using a keylogger.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014) |
.004 | Input Capture: Credential API Hooking |
ZxShell hooks several API functions to spawn system threads.(Citation: Talos ZxShell Oct 2014) |
||
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
ZxShell is injected into a shared SVCHOST process.(Citation: Talos ZxShell Oct 2014) |
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
ZxShell has remote desktop functionality.(Citation: Talos ZxShell Oct 2014) |
.005 | Remote Services: VNC |
ZxShell supports functionality for VNC sessions.(Citation: Talos ZxShell Oct 2014) |
||
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
ZxShell has used rundll32.exe to execute other DLLs and named pipes.(Citation: Talos ZxShell Oct 2014) |
Enterprise | T1569 | .002 | System Services: Service Execution |
ZxShell can create a new service for execution.(Citation: Talos ZxShell Oct 2014) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0001 | Axiom |
(Citation: Talos ZxShell Oct 2014) (Citation: Cisco Group 72) |
G0096 | APT41 |
(Citation: FireEye APT41 Aug 2019) |
G0027 | Threat Group-3390 |
(Citation: Secureworks BRONZEUNION Feb 2019) |
References
- Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
- Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
- Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016.
- Counter Threat Unit Research Team. (2019, February 27). A Peek into BRONZE UNION’s Toolbox. Retrieved September 24, 2019.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.