Okrum
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1134 | .001 | Access Token Manipulation: Token Impersonation/Theft |
Okrum can impersonate a logged-on user's security context using a call to the ImpersonateLoggedOnUser API.(Citation: ESET Okrum July 2019) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Okrum uses HTTP for communication with its C2.(Citation: ESET Okrum July 2019) |
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
Okrum was seen using a RAR archiver tool to compress/decompress data.(Citation: ESET Okrum July 2019) |
| .003 | Archive Collected Data: Archive via Custom Method |
Okrum has used a custom implementation of AES encryption to encrypt collected data.(Citation: ESET Okrum July 2019) |
||
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Okrum establishes persistence by creating a .lnk shortcut to itself in the Startup folder.(Citation: ESET Okrum July 2019) |
| .009 | Boot or Logon Autostart Execution: Shortcut Modification |
Okrum can establish persistence by creating a .lnk shortcut to itself in the Startup folder.(Citation: ESET Okrum July 2019) |
||
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Okrum's backdoor has used cmd.exe to execute arbitrary commands as well as batch scripts to update itself to a newer version.(Citation: ESET Okrum July 2019) |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
To establish persistence, Okrum can install itself as a new service named NtmSsvc.(Citation: ESET Okrum July 2019) |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Okrum has used base64 to encode C2 communication.(Citation: ESET Okrum July 2019) |
| Enterprise | T1001 | .003 | Data Obfuscation: Protocol Impersonation |
Okrum mimics HTTP protocol for C2 communication, while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests.(Citation: ESET Okrum July 2019) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Okrum uses AES to encrypt network traffic. The key can be hardcoded or negotiated with the C2 server in the registration phase. (Citation: ESET Okrum July 2019) |
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
Before exfiltration, Okrum's backdoor has used hidden files to store logs and outputs from backdoor commands.(Citation: ESET Okrum July 2019) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Okrum's backdoor deletes files after they have been successfully uploaded to C2 servers.(Citation: ESET Okrum July 2019) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Okrum was seen using a keylogger tool to capture keystrokes. (Citation: ESET Okrum July 2019) |
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Okrum can establish persistence by adding a new service NtmsSvc with the display name Removable Storage to masquerade as a legitimate Removable Storage Manager.(Citation: ESET Okrum July 2019) |
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Okrum was seen using MimikatzLite to perform credential dumping.(Citation: ESET Okrum July 2019) |
| .005 | OS Credential Dumping: Cached Domain Credentials |
Okrum was seen using modified Quarks PwDump to perform credential dumping.(Citation: ESET Okrum July 2019) |
||
| Enterprise | T1027 | .003 | Obfuscated Files or Information: Steganography |
Okrum's payload is encrypted and embedded within its loader, or within a legitimate PNG file.(Citation: ESET Okrum July 2019) |
| Enterprise | T1090 | .002 | Proxy: External Proxy |
Okrum can identify proxy servers configured and used by the victim, and use it to make HTTP requests to C2 its server.(Citation: ESET Okrum July 2019) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Okrum's installer can attempt to achieve persistence by creating a scheduled task.(Citation: ESET Okrum July 2019) |
| Enterprise | T1569 | .002 | System Services: Service Execution |
Okrum's loader can create a new service named NtmsSvc to execute the payload.(Citation: ESET Okrum July 2019) |
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Okrum's loader can check the amount of physical memory and terminates itself if the host has less than 1.5 Gigabytes of physical memory in total.(Citation: ESET Okrum July 2019) |
| .002 | Virtualization/Sandbox Evasion: User Activity Based Checks |
Okrum loader only executes the payload after the left mouse button has been pressed at least three times, in order to avoid being executed within virtualized or emulated environments.(Citation: ESET Okrum July 2019) |
||
| .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
Okrum's loader can detect presence of an emulator by using two calls to GetTickCount API, and checking whether the time has been accelerated.(Citation: ESET Okrum July 2019) |
||
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.