Reaver
Reaver is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the "Five Poisons," which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of Control Panel items.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service | |
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.[1] |
| .009 | 启动或登录自动启动执行: Shortcut Modification |
Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.[1] |
||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1560 | .003 | 归档收集数据: Archive via Custom Method |
Reaver encrypts collected data with an incremental XOR key prior to exfiltration.[1] |
| Enterprise | T1012 | 查询注册表 |
Reaver queries the Registry to determine the correct Startup path to use for persistence.[1] |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File | |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Reaver deletes the original dropped file from the victim.[1] |
| Enterprise | T1218 | .002 | 系统二进制代理执行: Control Panel |
Reaver drops and executes a malicious CPL file as its payload.[1] |
| Enterprise | T1082 | 系统信息发现 |
Reaver collects system information from the victim, including CPU speed, computer name, volume serial number, ANSI code page, OEM code page identifier for the OS, Microsoft Windows version, and memory information.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 | ||
| Enterprise | T1016 | 系统网络配置发现 | ||
| Enterprise | T1095 | 非应用层协议 | ||