Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент SysUpdate
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
SysUpdate
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

SysUpdate

SysUpdate is a backdoor written in C++ that has been used by Threat Group-3390 since at least 2020.(Citation: Trend Micro Iron Tiger April 2021)
ID: S0663
Associated Software: HyperSSL Soldier FOCUSFJORD
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 29 Nov 2021
Last Modified: 10 Apr 2024

Associated Software Descriptions
Name Description
HyperSSL (Citation: Trend Micro Iron Tiger April 2021)
Soldier (Citation: Trend Micro Iron Tiger April 2021)
FOCUSFJORD (Citation: Trend Micro Iron Tiger April 2021)

Techniques Used
Domain ID Name Use
Enterprise T1071 .004 Application Layer Protocol: DNS

SysUpdate has used DNS TXT requests as for its C2 communication.(Citation: Lunghi Iron Tiger Linux)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

SysUpdate can use a Registry Run key to establish persistence.(Citation: Trend Micro Iron Tiger April 2021)
Enterprise T1543 .002 Create or Modify System Process: Systemd Service

SysUpdate can copy a script to the user owned `/usr/lib/systemd/system/` directory with a symlink mapped to a `root` owned directory, `/etc/ystem/system`, in the unit configuration file's `ExecStart` directive to establish persistence and elevate privileges.(Citation: Lunghi Iron Tiger Linux)
.003 Create or Modify System Process: Windows Service

SysUpdate can create a service to establish persistence.(Citation: Trend Micro Iron Tiger April 2021)

Enterprise T1132 .001 Data Encoding: Standard Encoding

SysUpdate has used Base64 to encode its C2 traffic.(Citation: Lunghi Iron Tiger Linux)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

SysUpdate has used DES to encrypt all C2 communications.(Citation: Lunghi Iron Tiger Linux)
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

SysUpdate has the ability to set file attributes to hidden.(Citation: Trend Micro Iron Tiger April 2021)
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

SysUpdate can load DLLs through vulnerable legitimate executables.(Citation: Trend Micro Iron Tiger April 2021)

Enterprise T1070 .004 Indicator Removal: File Deletion

SysUpdate can delete its configuration file from the targeted system.(Citation: Trend Micro Iron Tiger April 2021)
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

SysUpdate has named their unit configuration file similarly to other unit files residing in the same directory, `/usr/lib/systemd/system/`, to appear benign.(Citation: Lunghi Iron Tiger Linux)
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

SysUpdate has been packed with VMProtect.(Citation: Trend Micro Iron Tiger April 2021)(Citation: Lunghi Iron Tiger Linux)
.011 Obfuscated Files or Information: Fileless Storage

SysUpdate can store its encoded configuration file within Software\Classes\scConfig in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER.(Citation: Trend Micro Iron Tiger April 2021)

.013 Obfuscated Files or Information: Encrypted/Encoded File

SysUpdate can encrypt and encode its configuration file.(Citation: Trend Micro Iron Tiger April 2021)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

SysUpdate has been signed with stolen digital certificates.(Citation: Lunghi Iron Tiger Linux)
Enterprise T1016 .001 System Network Configuration Discovery: Internet Connection Discovery

SysUpdate can contact the DNS server operated by Google as part of its C2 establishment process.(Citation: Lunghi Iron Tiger Linux)

Enterprise T1569 .002 System Services: Service Execution

SysUpdate can manage services and processes.(Citation: Trend Micro Iron Tiger April 2021)

Groups That Use This Software
ID Name References
G0027 Threat Group-3390

(Citation: Trend Micro Iron Tiger April 2021)

References

  1. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  2. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.