SHOTPUT

SHOTPUT is a custom backdoor used by APT3. ^[1]

ID: S0063

ⓘ

Associated Software: Backdoor.APT.CookieCutter, Pirpi

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 31 May 2017

Last Modified: 30 March 2020

Associated Software Descriptions

Name	Description
Backdoor.APT.CookieCutter	^[2]
Pirpi	^[2]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1083		文件和目录发现	SHOTPUT has a command to obtain a directory listing.^[3]
Enterprise	T1027		混淆文件或信息	SHOTPUT is obscured using XOR encoding and appended to a valid GIF file.^[1]^[3]
Enterprise	T1049		系统网络连接发现	SHOTPUT uses netstat to list TCP connection status.^[3]
Enterprise	T1087	.001	账号发现: Local Account	SHOTPUT has a command to retrieve information about connected users.^[3]
Enterprise	T1057		进程发现	SHOTPUT has a command to obtain a process listing.^[3]
Enterprise	T1018		远程系统发现	SHOTPUT has a command to list all servers in the domain, as well as one to locate domain controllers on a domain.^[3]

Groups That Use This Software

ID	Name	References
G0022	APT3	^[1]

References

Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.

Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016.