zwShell
zwShell is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during Night Dragon.[1]
ID: S0350
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 2.0
Created: 30 January 2019
Last Modified: 22 September 2022
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1112 | 修改注册表 | ||
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
zwShell has established persistence by adding itself as a new service.[1] |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| Enterprise | T1083 | 文件和目录发现 | ||
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
zwShell has deleted itself after creating a service as well as deleted a temporary file when the system reboots.[1] |
| Enterprise | T1082 | 系统信息发现 | ||
| Enterprise | T1033 | 系统所有者/用户发现 |
zwShell can obtain the name of the logged-in user on the victim.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 | ||
| Enterprise | T1021 | .001 | 远程服务: Remote Desktop Protocol | |
| .002 | 远程服务: SMB/Windows Admin Shares |
zwShell has been copied over network shares to move laterally.[1] |
||
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task | |
Campaigns
| ID | Name | Description |
|---|---|---|
| C0002 | Night Dragon |
During Night Dragon, threat actors used zwShell to generate Trojan variants, control victim machines, and exfiltrate data.[1] |