1. Home
  2. Software
  3. NETEAGLE

NETEAGLE

NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as "Scout" and "Norton." [1]

ID: S0034
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1573 .001 加密通道: Symmetric Cryptography

NETEAGLE will decrypt resources it downloads with HTTP requests by using RC4 with the key "ScoutEagle."[1]
Enterprise T1568 动态解析

NETEAGLE can use HTTP to download resources that contain an IP address and port number pair to connect to for C2.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

The "SCOUT" variant of NETEAGLE achieves persistence by adding itself to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

NETEAGLE allows adversaries to execute shell commands on the infected host.[1]
Enterprise T1008 回退信道

NETEAGLE will attempt to detect if the infected host is configured to a proxy. If so, NETEAGLE will send beacons via an HTTP POST request; otherwise it will send beacons via UDP/6000.[1]
Enterprise T1071 应用层协议

Adversaries can also use NETEAGLE to establish an RDP connection with a controller over TCP/7519.
.001 Web Protocols

NETEAGLE will attempt to detect if the infected host is configured to a proxy. If so, NETEAGLE will send beacons via an HTTP POST request. NETEAGLE will also use HTTP to download resources that contain an IP address and Port Number pair to connect to for further C2.[1]
Enterprise T1083 文件和目录发现

NETEAGLE allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information.[1]
Enterprise T1057 进程发现

NETEAGLE can send process listings over the C2 channel.[1]
Enterprise T1041 通过C2信道渗出

NETEAGLE is capable of reading files over the C2 channel.[1]
Enterprise T1095 非应用层协议

If NETEAGLE does not detect a proxy configured on the infected machine, it will send beacons via UDP/6000. Also, after retrieving a C2 IP address and Port Number, NETEAGLE will initiate a TCP connection to this socket. The ensuing connection is a plaintext C2 channel in which commands are specified by DWORDs.[1]

Groups That Use This Software

ID Name References
G0013 APT30

[1]

References

  1. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.