BLACKCOFFEE
BLACKCOFFEE is malware that has been used by several Chinese groups since at least 2013. [1] [2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
BLACKCOFFEE has the capability to create a reverse shell.[1] |
| Enterprise | T1104 | 多阶段信道 |
BLACKCOFFEE uses Microsoft’s TechNet Web portal to obtain an encoded tag containing the IP address of a command and control server and then communicates separately with that IP address for C2. If the C2 server is discovered or shut down, the threat actors can update the encoded IP address on TechNet to maintain control of the victims’ machines.[1] |
|
| Enterprise | T1083 | 文件和目录发现 |
BLACKCOFFEE has the capability to enumerate files.[1] |
|
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
BLACKCOFFEE has the capability to delete files.[1] |
| Enterprise | T1102 | .001 | 网络服务: Dead Drop Resolver |
BLACKCOFFEE uses Microsoft’s TechNet Web portal to obtain a dead drop resolver containing an encoded tag with the IP address of a command and control server.[1][2] |
| .002 | 网络服务: Bidirectional Communication |
BLACKCOFFEE has also obfuscated its C2 traffic as normal traffic to sites such as Github.[1][2] |
||
| Enterprise | T1057 | 进程发现 |
BLACKCOFFEE has the capability to discover processes.[1] |
|
Groups That Use This Software
References
- FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.