Okrum
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1090 | .002 | 代理: External Proxy |
Okrum can identify proxy servers configured and used by the victim, and use it to make HTTP requests to C2 its server.[1] |
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
Okrum can establish persistence by adding a new service NtmsSvc with the display name Removable Storage to masquerade as a legitimate Removable Storage Manager.[1] |
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
To establish persistence, Okrum can install itself as a new service named NtmSsvc.[1] |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
Okrum uses AES to encrypt network traffic. The key can be hardcoded or negotiated with the C2 server in the registration phase. [1] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Okrum's loader can decrypt the backdoor code, embedded within the loader or within a legitimate PNG file. A custom XOR cipher or RC4 is used for decryption.[1] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Okrum establishes persistence by creating a .lnk shortcut to itself in the Startup folder.[1] |
| .009 | 启动或登录自动启动执行: Shortcut Modification |
Okrum can establish persistence by creating a .lnk shortcut to itself in the Startup folder.[1] |
||
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
Okrum's backdoor has used cmd.exe to execute arbitrary commands as well as batch scripts to update itself to a newer version.[1] |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1560 | .001 | 归档收集数据: Archive via Utility |
Okrum was seen using a RAR archiver tool to compress/decompress data.[1] |
| .003 | 归档收集数据: Archive via Custom Method |
Okrum has used a custom implementation of AES encryption to encrypt collected data.[1] |
||
| Enterprise | T1003 | .001 | 操作系统凭证转储: LSASS Memory |
Okrum was seen using MimikatzLite to perform credential dumping.[1] |
| .005 | 操作系统凭证转储: Cached Domain Credentials |
Okrum was seen using modified Quarks PwDump to perform credential dumping.[1] |
||
| Enterprise | T1001 | 数据混淆 |
Okrum leverages the HTTP protocol for C2 communication, while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests.[1] |
|
| .003 | Protocol or Service Impersonation |
Okrum leverages the HTTP protocol for C2 communication, while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests.[1] |
||
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding | |
| Enterprise | T1083 | 文件和目录发现 |
Okrum has used DriveLetterView to enumerate drive information.[1] |
|
| Enterprise | T1027 | .003 | 混淆文件或信息: Steganography |
Okrum's payload is encrypted and embedded within its loader, or within a legitimate PNG file.[1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Okrum's backdoor deletes files after they have been successfully uploaded to C2 servers.[1] |
| Enterprise | T1082 | 系统信息发现 |
Okrum can collect computer name, locale information, and information about the OS and architecture.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 | ||
| Enterprise | T1124 | 系统时间发现 |
Okrum can obtain the date and time of the compromised system.[1] |
|
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
Okrum's loader can create a new service named NtmsSvc to execute the payload.[1] |
| Enterprise | T1049 | 系统网络连接发现 |
Okrum was seen using NetSess to discover NetBIOS sessions.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Okrum can collect network information, including the host IP address, DNS, and proxy information.[1] |
|
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
Okrum's loader can check the amount of physical memory and terminates itself if the host has less than 1.5 Gigabytes of physical memory in total.[1] |
| .002 | 虚拟化/沙盒规避: User Activity Based Checks |
Okrum loader only executes the payload after the left mouse button has been pressed at least three times, in order to avoid being executed within virtualized or emulated environments.[1] |
||
| .003 | 虚拟化/沙盒规避: Time Based Evasion |
Okrum's loader can detect presence of an emulator by using two calls to GetTickCount API, and checking whether the time has been accelerated.[1] |
||
| Enterprise | T1134 | .001 | 访问令牌操控: Token Impersonation/Theft |
Okrum can impersonate a logged-on user's security context using a call to the ImpersonateLoggedOnUser API.[1] |
| Enterprise | T1105 | 输入工具传输 |
Okrum has built-in commands for uploading, downloading, and executing files to the system.[1] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
Okrum was seen using a keylogger tool to capture keystrokes. [1] |
| Enterprise | T1041 | 通过C2信道渗出 |
Data exfiltration is done by Okrum using the already opened channel with the C2 server.[1] |
|
| Enterprise | T1564 | .001 | 隐藏伪装: Hidden Files and Directories |
Before exfiltration, Okrum's backdoor has used hidden files to store logs and outputs from backdoor commands.[1] |
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
Okrum's installer can attempt to achieve persistence by creating a scheduled task.[1] |