1. Home
  2. Software
  3. CHOPSTICK

CHOPSTICK

CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. [1] [2] [3] [4] It is tracked separately from the X-Agent for Android.

ID: S0023
Associated Software: Backdoor.SofacyX, SPLM, Xagent, X-Agent, webhp
Type: MALWARE
Platforms: Windows, Linux
Contributors: Richard Gold, Digital Shadows
Version: 2.3
Created: 31 May 2017
Last Modified: 26 March 2023

Associated Software Descriptions

Name Description
Backdoor.SofacyX

[5]
SPLM

[2] [3]
Xagent

[2] [3]
X-Agent

[2] [3]
webhp

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1090 .001 代理: Internal Proxy

CHOPSTICK used a proxy server between victims and the C2 server.[2]
Enterprise T1112 修改注册表

CHOPSTICK may modify Registry keys to store RC4 encrypted configuration information.[1]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

CHOPSTICK encrypts C2 communications with RC4.[2]
.002 加密通道: Asymmetric Cryptography

CHOPSTICK encrypts C2 communications with TLS.[2]
Enterprise T1568 .002 动态解析: Domain Generation Algorithms

CHOPSTICK can use a DGA for Fallback Channels, domains are generated by concatenating words from lists.[6]
Enterprise T1059 命令与脚本解释器

CHOPSTICK is capable of performing remote command execution.[7][2]
Enterprise T1008 回退信道

CHOPSTICK can switch to a new C2 channel if the current one is broken.[2]
Enterprise T1113 屏幕捕获

CHOPSTICK has the capability to capture screenshots.[4]
Enterprise T1071 .001 应用层协议: Web Protocols

Various implementations of CHOPSTICK communicate with C2 over HTTP.[2]
.003 应用层协议: Mail Protocols

Various implementations of CHOPSTICK communicate with C2 over SMTP and POP3.[2]
Enterprise T1083 文件和目录发现

An older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.[2]
Enterprise T1012 查询注册表

CHOPSTICK provides access to the Windows Registry, which can be used to gather information.[1]
Enterprise T1027 .011 混淆文件或信息: Fileless Storage

CHOPSTICK may store RC4 encrypted configuration information in the Windows Registry.[1]
Enterprise T1497 虚拟化/沙盒规避

CHOPSTICK includes runtime checks to identify an analysis environment and prevent execution on it.[1]
Enterprise T1518 .001 软件发现: Security Software Discovery

CHOPSTICK checks for antivirus and forensics software.[1]
Enterprise T1105 输入工具传输

CHOPSTICK is capable of performing remote file transmission.[7]
Enterprise T1056 .001 输入捕获: Keylogging

CHOPSTICK is capable of performing keylogging.[7][2][4]
Enterprise T1091 通过可移动媒体复制

Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines and using files written to USB sticks to transfer data and command traffic.[1][8][9]
Enterprise T1092 通过可移动媒体通信

Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines, using files written to USB sticks to transfer data and command traffic.[1][2][8]

Groups That Use This Software

ID Name References
G0007 APT28

[1][10][11][9]

References

  1. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  2. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  3. FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
  4. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  5. Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
  6. ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019.
  1. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  2. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  3. Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.
  4. Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  5. Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.