Gelsemium
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| Gelsevirine | (Citation: ESET Gelsemium June 2021) |
| Gelsenicine | (Citation: ESET Gelsemium June 2021) |
| Gelsemine | (Citation: ESET Gelsemium June 2021) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
Gelsemium can bypass UAC to elevate process privileges on a compromised host.(Citation: ESET Gelsemium June 2021) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Gelsemium can use HTTP/S in C2 communications.(Citation: ESET Gelsemium June 2021) |
| .004 | Application Layer Protocol: DNS |
Gelsemium has the ability to use DNS in communication with C2.(Citation: ESET Gelsemium June 2021) |
||
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Gelsemium can set persistence with a Registry run key.(Citation: ESET Gelsemium June 2021) |
| .012 | Boot or Logon Autostart Execution: Print Processors |
Gelsemium can drop itself in |
||
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Gelsemium can use a batch script to delete itself.(Citation: ESET Gelsemium June 2021) |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Gelsemium can drop itself in `C:\Windows\System32\spool\prtprocs\x64\winprint.dll` as an alternative Print Processor to be loaded automatically when the spoolsv Windows service starts.(Citation: ESET Gelsemium June 2021) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Gelsemium can delete its dropper component from the targeted system.(Citation: ESET Gelsemium June 2021) |
| .006 | Indicator Removal: Timestomp |
Gelsemium has the ability to perform timestomping of files on targeted systems.(Citation: ESET Gelsemium June 2021) |
||
| Enterprise | T1559 | .001 | Inter-Process Communication: Component Object Model |
Gelsemium can use the `IARPUinstallerStringLauncher` COM interface are part of its UAC bypass process.(Citation: ESET Gelsemium June 2021) |
| Enterprise | T1036 | .001 | Masquerading: Invalid Code Signature |
Gelsemium has used unverified signatures on malicious DLLs.(Citation: ESET Gelsemium June 2021) |
| .005 | Masquerading: Match Legitimate Name or Location |
Gelsemium has named malicious binaries `serv.exe`, `winprint.dll`, and `chrome_elf.dll` and has set its persistence in the Registry with the key value |
||
| Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
Gelsemium can use junk code to hide functions and evade detection.(Citation: ESET Gelsemium June 2021) |
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Gelsemium has the ability to inject DLLs into specific processes.(Citation: ESET Gelsemium June 2021) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Gelsemium can check for the presence of specific security products.(Citation: ESET Gelsemium June 2021) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.