ADVSTORESHELL
ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. [1] [2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1546 | .015 | 事件触发执行: Component Object Model Hijacking |
Some variants of ADVSTORESHELL achieve persistence by registering the payload as a Shell Icon Overlay handler COM object.[2] |
| Enterprise | T1112 | 修改注册表 |
ADVSTORESHELL is capable of setting and deleting Registry values.[3] |
|
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
A variant of ADVSTORESHELL encrypts some C2 with 3DES.[3] |
| .002 | 加密通道: Asymmetric Cryptography |
A variant of ADVSTORESHELL encrypts some C2 with RSA.[3] |
||
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
ADVSTORESHELL achieves persistence by adding itself to the |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
ADVSTORESHELL can create a remote shell and run a given command.[2][3] |
| Enterprise | T1120 | 外围设备发现 |
ADVSTORESHELL can list connected devices.[2] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
ADVSTORESHELL connects to port 80 of a C2 server using Wininet API. Data is exchanged via HTTP POSTs.[1] |
| Enterprise | T1560 | 归档收集数据 |
ADVSTORESHELL encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration.[2] |
|
| .003 | Archive via Custom Method |
ADVSTORESHELL compresses output data generated by command execution with a custom implementation of the Lempel–Ziv–Welch (LZW) algorithm.[2] |
||
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
ADVSTORESHELL stores output from command execution in a .dat file in the %TEMP% directory.[2] |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding.[1] |
| Enterprise | T1083 | 文件和目录发现 |
ADVSTORESHELL can list files and directories.[2][3] |
|
| Enterprise | T1106 | 本机API |
ADVSTORESHELL is capable of starting a process using CreateProcess.[3] |
|
| Enterprise | T1012 | 查询注册表 |
ADVSTORESHELL can enumerate registry keys.[2][3] |
|
| Enterprise | T1027 | 混淆文件或信息 |
Most of the strings in ADVSTORESHELL are encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed. API function names are also reversed, presumably to avoid detection in memory.[1][3] |
|
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
ADVSTORESHELL can delete files and directories.[2] |
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 |
ADVSTORESHELL has used rundll32.exe in a Registry value to establish persistence.[3] |
| Enterprise | T1082 | 系统信息发现 |
ADVSTORESHELL can run Systeminfo to gather information about the victim.[2][3] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
ADVSTORESHELL can perform keylogging.[2][3] |
| Enterprise | T1057 | 进程发现 |
ADVSTORESHELL can list running processes.[2] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
ADVSTORESHELL exfiltrates data over the same channel used for C2.[2] |
|
| Enterprise | T1029 | 预定传输 |
ADVSTORESHELL collects, compresses, encrypts, and exfiltrates data to the C2 server every 10 minutes.[2] |
|