LookBack
ID: S0582
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.0
Created: 01 March 2021
Last Modified: 26 April 2021
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
LookBack has a C2 proxy tool that masquerades as |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
LookBack uses a modified version of RC4 for data transfer.[1] |
| Enterprise | T1574 | .002 | 劫持执行流: DLL Side-Loading |
LookBack side loads its communications module as a DLL into the |
| Enterprise | T1140 | 反混淆/解码文件或信息 | ||
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
LookBack sets up a Registry Run key to establish a persistence mechanism.[1] |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| .005 | 命令与脚本解释器: Visual Basic |
LookBack has used VBA macros in Microsoft Word attachments to drop additional files to the host.[1] |
||
| Enterprise | T1113 | 屏幕捕获 | ||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
LookBack’s C2 proxy tool sends data to a C2 server over HTTP.[1] |
| Enterprise | T1083 | 文件和目录发现 |
LookBack can retrieve file listings from the victim machine.[1] |
|
| Enterprise | T1489 | 服务停止 | ||
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
LookBack removes itself after execution and can delete files on the system.[1] |
| Enterprise | T1529 | 系统关机/重启 | ||
| Enterprise | T1007 | 系统服务发现 | ||
| Enterprise | T1057 | 进程发现 | ||
| Enterprise | T1095 | 非应用层协议 |
LookBack uses a custom binary protocol over sockets for C2 communications.[1] |
|