TEARDROP
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
TEARDROP ran as a Windows service from the |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
TEARDROP files had names that resembled legitimate Window file and directory names.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Deep Dive Solorigate January 2021) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0016 | APT29 |
(Citation: FireEye SUNBURST Backdoor December 2020) (Citation: MSTIC NOBELIUM May 2021) (Citation: MSTIC Nobelium Toolset May 2021) (Citation: Secureworks IRON RITUAL Profile) |
| G0118 | UNC2452 |
(Citation: FireEye SUNBURST Backdoor December 2020) |
References
- FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
- MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
- Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021.
- Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
- MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
- Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.