Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Gelsemium

Gelsemium is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. Gelsemium has been used by the Gelsemium group since at least 2014.(Citation: ESET Gelsemium June 2021)
ID: S0666
Associated Software: Gelsevirine Gelsenicine Gelsemine
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 30 Nov 2021
Last Modified: 11 Apr 2024

Associated Software Descriptions

Name Description
Gelsevirine (Citation: ESET Gelsemium June 2021)
Gelsenicine (Citation: ESET Gelsemium June 2021)
Gelsemine (Citation: ESET Gelsemium June 2021)

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Gelsemium can bypass UAC to elevate process privileges on a compromised host.(Citation: ESET Gelsemium June 2021)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Gelsemium can use HTTP/S in C2 communications.(Citation: ESET Gelsemium June 2021)

.004 Application Layer Protocol: DNS

Gelsemium has the ability to use DNS in communication with C2.(Citation: ESET Gelsemium June 2021)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Gelsemium can set persistence with a Registry run key.(Citation: ESET Gelsemium June 2021)

.012 Boot or Logon Autostart Execution: Print Processors

Gelsemium can drop itself in C:\Windows\System32\spool\prtprocs\x64\winprint.dll to be loaded automatically by the spoolsv Windows service.(Citation: ESET Gelsemium June 2021)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Gelsemium can use a batch script to delete itself.(Citation: ESET Gelsemium June 2021)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Gelsemium can drop itself in `C:\Windows\System32\spool\prtprocs\x64\winprint.dll` as an alternative Print Processor to be loaded automatically when the spoolsv Windows service starts.(Citation: ESET Gelsemium June 2021)

Enterprise T1070 .004 Indicator Removal: File Deletion

Gelsemium can delete its dropper component from the targeted system.(Citation: ESET Gelsemium June 2021)

.006 Indicator Removal: Timestomp

Gelsemium has the ability to perform timestomping of files on targeted systems.(Citation: ESET Gelsemium June 2021)

Enterprise T1559 .001 Inter-Process Communication: Component Object Model

Gelsemium can use the `IARPUinstallerStringLauncher` COM interface are part of its UAC bypass process.(Citation: ESET Gelsemium June 2021)

Enterprise T1036 .001 Masquerading: Invalid Code Signature

Gelsemium has used unverified signatures on malicious DLLs.(Citation: ESET Gelsemium June 2021)

.005 Masquerading: Match Legitimate Name or Location

Gelsemium has named malicious binaries `serv.exe`, `winprint.dll`, and `chrome_elf.dll` and has set its persistence in the Registry with the key value Chrome Update to appear legitimate.(Citation: ESET Gelsemium June 2021)

Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

Gelsemium can use junk code to hide functions and evade detection.(Citation: ESET Gelsemium June 2021)

.011 Obfuscated Files or Information: Fileless Storage

Gelsemium can store its components in the Registry.(Citation: ESET Gelsemium June 2021)

.013 Obfuscated Files or Information: Encrypted/Encoded File

Gelsemium has the ability to compress its components.(Citation: ESET Gelsemium June 2021)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Gelsemium has the ability to inject DLLs into specific processes.(Citation: ESET Gelsemium June 2021)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Gelsemium can check for the presence of specific security products.(Citation: ESET Gelsemium June 2021)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.