DEADWOOD
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
DEADWOOD will attempt to masquerade its service execution using benign-looking names such as |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
DEADWOOD XORs some strings within the binary using the value |
|
| Enterprise | T1485 | 数据销毁 |
DEADWOOD overwrites files on victim systems with random data to effectively destroy them.[1] |
|
| Enterprise | T1027 | .009 | 混淆文件或信息: Embedded Payloads |
DEADWOOD contains an embedded, AES-encrypted payload labeled |
| .013 | 混淆文件或信息: Encrypted/Encoded File |
DEADWOOD contains an embedded, AES-encrypted resource named |
||
| Enterprise | T1561 | .001 | 磁盘擦除: Disk Content Wipe |
DEADWOOD deletes files following overwriting them with random data.[1] |
| .002 | 磁盘擦除: Disk Structure Wipe |
DEADWOOD opens and writes zeroes to the first 512 bytes of each drive, deleting the MBR. DEADWOOD then sends the control code |
||
| Enterprise | T1124 | 系统时间发现 |
DEADWOOD will set a timestamp value to determine when wiping functionality starts. When the timestamp is met on the system, a trigger file is created on the operating system allowing for execution to proceed. If the timestamp is in the past, the wiper will execute immediately.[1] |
|
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
DEADWOOD can be executed as a service using various names, such as |
| Enterprise | T1531 | 账号访问移除 |
DEADWOOD changes the password for local and domain users via |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0064 | APT33 |
DEADWOOD was previously linked to APT33 operations in 2019.[2] |
| G1030 | Agrius |