Chaes
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Chaes has used HTTP for C2 communications.(Citation: Cybereason Chaes Nov 2020) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Chaes has added persistence via the Registry key |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Chaes has used cmd to execute tasks on the system.(Citation: Cybereason Chaes Nov 2020) |
.005 | Command and Scripting Interpreter: Visual Basic |
Chaes has used VBscript to execute malicious code.(Citation: Cybereason Chaes Nov 2020) |
||
.006 | Command and Scripting Interpreter: Python |
Chaes has used Python scripts for execution and the installation of additional files.(Citation: Cybereason Chaes Nov 2020) |
||
.007 | Command and Scripting Interpreter: JavaScript |
Chaes has used JavaScript and Node.Js information stealer script that exfiltrates data using the node process.(Citation: Cybereason Chaes Nov 2020) |
||
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Chaes can steal login credentials and stored financial information from the browser.(Citation: Cybereason Chaes Nov 2020) |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Chaes has used Base64 to encode C2 communications.(Citation: Cybereason Chaes Nov 2020) |
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
Chaes has used search order hijacking to load a malicious DLL.(Citation: Cybereason Chaes Nov 2020) |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Chaes has used an unsigned, crafted DLL module named |
Enterprise | T1027 | .011 | Obfuscated Files or Information: Fileless Storage |
Some versions of Chaes stored its instructions (otherwise in a `instructions.ini` file) in the Registry.(Citation: Cybereason Chaes Nov 2020) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Chaes has been delivered by sending victims a phishing email containing a malicious .docx file.(Citation: Cybereason Chaes Nov 2020) |
Enterprise | T1218 | .004 | System Binary Proxy Execution: InstallUtil |
Chaes has used Installutill to download content.(Citation: Cybereason Chaes Nov 2020) |
.007 | System Binary Proxy Execution: Msiexec |
Chaes has used .MSI files as an initial way to start the infection chain.(Citation: Cybereason Chaes Nov 2020) |
||
Enterprise | T1204 | .002 | User Execution: Malicious File |
Chaes requires the user to click on the malicious Word document to execute the next part of the attack.(Citation: Cybereason Chaes Nov 2020) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.