Backdoor.Oldrea
Backdoor.Oldrea is a modular backdoor that used by Dragonfly against energy companies since at least 2013. Backdoor.Oldrea was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.[1][2][3]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | .003 | 从密码存储中获取凭证: Credentials from Web Browsers |
Some Backdoor.Oldrea samples contain a publicly available Web browser password recovery tool.[1] |
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Backdoor.Oldrea adds Registry Run keys to achieve persistence.[1][2] |
| Enterprise | T1560 | 归档收集数据 |
Backdoor.Oldrea writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server.[1] |
|
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
Some Backdoor.Oldrea samples use standard Base64 + bzip2, and some use standard Base64 + reverse XOR + RSA-2048 to decrypt data received from C2 servers.[1] |
| Enterprise | T1083 | 文件和目录发现 |
Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.[1] |
|
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Backdoor.Oldrea contains a cleanup module that removes traces of itself from the victim.[1] |
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 |
Backdoor.Oldrea can use rundll32 for execution on compromised hosts.[2] |
| Enterprise | T1082 | 系统信息发现 |
Backdoor.Oldrea collects information about the OS and computer name.[1][2] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Backdoor.Oldrea collects the current username from the victim.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Backdoor.Oldrea collects information about the Internet adapter configuration.[1][2] |
|
| Enterprise | T1046 | 网络服务发现 |
Backdoor.Oldrea can use a network scanning module to identify ICS-related ports.[2] |
|
| Enterprise | T1087 | .003 | 账号发现: Email Account |
Backdoor.Oldrea collects address book information from Outlook.[1] |
| Enterprise | T1105 | 输入工具传输 |
Backdoor.Oldrea can download additional modules from C2.[2] |
|
| Enterprise | T1057 | 进程发现 |
Backdoor.Oldrea collects information about running processes.[1] |
|
| Enterprise | T1055 | 进程注入 |
Backdoor.Oldrea injects itself into explorer.exe.[1][2] |
|
| Enterprise | T1018 | 远程系统发现 |
Backdoor.Oldrea can enumerate and map ICS-specific systems in victim environments.[2] |
|
| ICS | T0802 | Automated Collection |
Using OPC, a component of Backdoor.Oldrea gathers any details about connected devices and sends them back to the C2 for the attackers to analyze. [4] |
|
| ICS | T0814 | Denial of Service |
The Backdoor.Oldrea payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications. [5] |
|
| ICS | T0861 | Point & Tag Identification |
The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices. [5] [4] |
|
| ICS | T0846 | Remote System Discovery |
The Backdoor.Oldrea ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network. [6] |
|
| ICS | T0888 | Remote System Information Discovery |
The Backdoor.Oldrea payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process. [5] [4] |
|
| ICS | T0865 | Spearphishing Attachment |
The Backdoor.Oldrea RAT is distributed through a trojanized installer attached to emails. [4] |
|
| ICS | T0862 | Supply Chain Compromise |
The Backdoor.Oldrea RAT is distributed through trojanized installers planted on compromised vendor sites. [4] |
|
| ICS | T0863 | User Execution |
Execution of Backdoor.Oldrea relies on a user opening a trojanized installer attached to an email. [4] [7] |
|
Groups That Use This Software
References
- Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
- Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
- Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.
- Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01
- ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01
- Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell 2015, December 08 A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin Retrieved. 2019/04/01
- Kyle Wilhoit Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ICS Malware: Havex and Black Energy Retrieved. 2019/10/22