CORESHELL
Associated Software Descriptions
| Name | Description |
|---|---|
| Sofacy |
This designation has been used in reporting both to refer to the threat group (APT28) and its associated malware.[1] [2][3] |
| SOURFACE |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
CORESHELL C2 messages are encrypted with custom stream ciphers using six-byte or eight-byte keys.[1] |
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
CORESHELL has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder.[4] |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| .003 | 应用层协议: Mail Protocols | |||
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding | |
| Enterprise | T1027 | 混淆文件或信息 |
CORESHELL obfuscates strings using a custom stream cipher.[1] |
|
| .001 | Binary Padding |
CORESHELL contains unused machine instructions in a likely attempt to hinder analysis.[1] |
||
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 |
CORESHELL is installed via execution of rundll32 with an export named "init" or "InitW."[4] |
| Enterprise | T1082 | 系统信息发现 |
CORESHELL collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server.[1] |
|
| Enterprise | T1105 | 输入工具传输 | ||
Groups That Use This Software
References
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
- Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.