Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Okrum

Okrum is a Windows backdoor that has been seen in use since December 2016 with strong links to Ke3chang.(Citation: ESET Okrum July 2019)
ID: S0439
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 06 May 2020
Last Modified: 14 May 2020

Techniques Used

Domain ID Name Use
Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

Okrum can impersonate a logged-on user's security context using a call to the ImpersonateLoggedOnUser API.(Citation: ESET Okrum July 2019)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Okrum uses HTTP for communication with its C2.(Citation: ESET Okrum July 2019)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Okrum was seen using a RAR archiver tool to compress/decompress data.(Citation: ESET Okrum July 2019)

.003 Archive Collected Data: Archive via Custom Method

Okrum has used a custom implementation of AES encryption to encrypt collected data.(Citation: ESET Okrum July 2019)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Okrum establishes persistence by creating a .lnk shortcut to itself in the Startup folder.(Citation: ESET Okrum July 2019)

.009 Boot or Logon Autostart Execution: Shortcut Modification

Okrum can establish persistence by creating a .lnk shortcut to itself in the Startup folder.(Citation: ESET Okrum July 2019)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Okrum's backdoor has used cmd.exe to execute arbitrary commands as well as batch scripts to update itself to a newer version.(Citation: ESET Okrum July 2019)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

To establish persistence, Okrum can install itself as a new service named NtmSsvc.(Citation: ESET Okrum July 2019)

Enterprise T1132 .001 Data Encoding: Standard Encoding

Okrum has used base64 to encode C2 communication.(Citation: ESET Okrum July 2019)

Enterprise T1001 .003 Data Obfuscation: Protocol Impersonation

Okrum mimics HTTP protocol for C2 communication, while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests.(Citation: ESET Okrum July 2019)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Okrum uses AES to encrypt network traffic. The key can be hardcoded or negotiated with the C2 server in the registration phase. (Citation: ESET Okrum July 2019)

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Before exfiltration, Okrum's backdoor has used hidden files to store logs and outputs from backdoor commands.(Citation: ESET Okrum July 2019)

Enterprise T1070 .004 Indicator Removal: File Deletion

Okrum's backdoor deletes files after they have been successfully uploaded to C2 servers.(Citation: ESET Okrum July 2019)

Enterprise T1056 .001 Input Capture: Keylogging

Okrum was seen using a keylogger tool to capture keystrokes. (Citation: ESET Okrum July 2019)

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Okrum can establish persistence by adding a new service NtmsSvc with the display name Removable Storage to masquerade as a legitimate Removable Storage Manager.(Citation: ESET Okrum July 2019)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Okrum was seen using MimikatzLite to perform credential dumping.(Citation: ESET Okrum July 2019)

.005 OS Credential Dumping: Cached Domain Credentials

Okrum was seen using modified Quarks PwDump to perform credential dumping.(Citation: ESET Okrum July 2019)

Enterprise T1027 .003 Obfuscated Files or Information: Steganography

Okrum's payload is encrypted and embedded within its loader, or within a legitimate PNG file.(Citation: ESET Okrum July 2019)

Enterprise T1090 .002 Proxy: External Proxy

Okrum can identify proxy servers configured and used by the victim, and use it to make HTTP requests to C2 its server.(Citation: ESET Okrum July 2019)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Okrum's installer can attempt to achieve persistence by creating a scheduled task.(Citation: ESET Okrum July 2019)

Enterprise T1569 .002 System Services: Service Execution

Okrum's loader can create a new service named NtmsSvc to execute the payload.(Citation: ESET Okrum July 2019)

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Okrum's loader can check the amount of physical memory and terminates itself if the host has less than 1.5 Gigabytes of physical memory in total.(Citation: ESET Okrum July 2019)

.002 Virtualization/Sandbox Evasion: User Activity Based Checks

Okrum loader only executes the payload after the left mouse button has been pressed at least three times, in order to avoid being executed within virtualized or emulated environments.(Citation: ESET Okrum July 2019)

.003 Virtualization/Sandbox Evasion: Time Based Evasion

Okrum's loader can detect presence of an emulator by using two calls to GetTickCount API, and checking whether the time has been accelerated.(Citation: ESET Okrum July 2019)

Groups That Use This Software

ID Name References
G0004 Ke3chang

(Citation: ESET Okrum July 2019)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.