ShimRatReporter
ShimRatReporter is a tool used by suspected Chinese adversary Mofang to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as ShimRat) as well as set up faux infrastructure which mimics the adversary's targets. ShimRatReporter has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
ShimRatReporter spoofed itself as |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
ShimRatReporter communicated over HTTP with preconfigured C2 servers.[1] |
| Enterprise | T1560 | 归档收集数据 |
ShimRatReporter used LZ compression to compress initial reconnaissance reports before sending to the C2.[1] |
|
| Enterprise | T1106 | 本机API |
ShimRatReporter used several Windows API functions to gather information from the infected system.[1] |
|
| Enterprise | T1069 | 权限组发现 |
ShimRatReporter gathered the local privileges for the infected host.[1] |
|
| Enterprise | T1027 | 混淆文件或信息 |
ShimRatReporter encrypted gathered information with a combination of shifting and XOR using a static key.[1] |
|
| Enterprise | T1082 | 系统信息发现 |
ShimRatReporter gathered the operating system name and specific Windows version of an infected machine.[1] |
|
| Enterprise | T1049 | 系统网络连接发现 |
ShimRatReporter used the Windows function |
|
| Enterprise | T1016 | 系统网络配置发现 |
ShimRatReporter gathered the local proxy, domain, IP, routing tables, mac address, gateway, DNS servers, and DHCP status information from an infected host.[1] |
|
| Enterprise | T1119 | 自动化收集 |
ShimRatReporter gathered information automatically, without instruction from a C2, related to the user and host machine that is compiled into a report and sent to the operators.[1] |
|
| Enterprise | T1020 | 自动化渗出 |
ShimRatReporter sent collected system and network information compiled into a report to an adversary-controlled C2.[1] |
|
| Enterprise | T1087 | 账号发现 |
ShimRatReporter listed all non-privileged and privileged accounts available on the machine.[1] |
|
| Enterprise | T1518 | 软件发现 |
ShimRatReporter gathered a list of installed software on the infected host.[1] |
|
| Enterprise | T1105 | 输入工具传输 |
ShimRatReporter had the ability to download additional payloads.[1] |
|
| Enterprise | T1057 | 进程发现 |
ShimRatReporter listed all running processes on the machine.[1] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
ShimRatReporter sent generated reports to the C2 via HTTP POST requests.[1] |
|