Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент ShimRat
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
ShimRat
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

ShimRat

ShimRat has been used by the suspected China-based adversary Mofang in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name "ShimRat" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. (Citation: FOX-IT May 2016 Mofang)
ID: S0444
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 12 May 2020
Last Modified: 29 May 2020

Techniques Used
Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

ShimRat has hijacked the cryptbase.dll within migwiz.exe to escalate privileges. This prevented the User Access Control window from appearing.(Citation: FOX-IT May 2016 Mofang)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

ShimRat communicated over HTTP and HTTPS with C2 servers.(Citation: FOX-IT May 2016 Mofang)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

ShimRat has installed a registry based start-up key HKCU\Software\microsoft\windows\CurrentVersion\Run to maintain persistence should other methods fail.(Citation: FOX-IT May 2016 Mofang)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

ShimRat can be issued a command shell function from the C2.(Citation: FOX-IT May 2016 Mofang)
Enterprise T1543 .003 Create or Modify System Process: Windows Service

ShimRat has installed a Windows service to maintain persistence on victim machines.(Citation: FOX-IT May 2016 Mofang)
Enterprise T1546 .011 Event Triggered Execution: Application Shimming

ShimRat has installed shim databases in the AppPatch folder.(Citation: FOX-IT May 2016 Mofang)
Enterprise T1070 .004 Indicator Removal: File Deletion

ShimRat can uninstall itself from compromised hosts, as well create and modify directories, delete, move, copy, and rename files.(Citation: FOX-IT May 2016 Mofang)
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

ShimRat can impersonate Windows services and antivirus products to avoid detection on compromised systems.(Citation: FOX-IT May 2016 Mofang)
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

ShimRat's loader has been packed with the compressed ShimRat core DLL and the legitimate DLL for it to hijack.(Citation: FOX-IT May 2016 Mofang)
Enterprise T1090 .002 Proxy: External Proxy

ShimRat can use pre-configured HTTP proxies.(Citation: FOX-IT May 2016 Mofang)

Groups That Use This Software
ID Name References
G0103 Mofang

References

  1. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.