1. Home
  2. Software
  3. T9000

T9000

T9000 is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. [1] [2]

ID: S0098
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 31 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1546 .010 事件触发执行: AppInit DLLs

If a victim meets certain criteria, T9000 uses the AppInit_DLL functionality to achieve persistence by ensuring that every user mode process that is spawned will load its malicious DLL, ResN32.dll. It does this by creating the following Registry keys: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs – %APPDATA%\Intel\ResN32.dll and HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs – 0x1.[2]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

During the T9000 installation process, it drops a copy of the legitimate Microsoft binary igfxtray.exe. The executable contains a side-loading weakness which is used to load a portion of the malware.[2]
Enterprise T1120 外围设备发现

T9000 searches through connected drives for removable storage devices.[2]
Enterprise T1113 屏幕捕获

T9000 can take screenshots of the desktop and target application windows, saving them to user directories as one byte XOR encrypted .dat files.[2]
Enterprise T1560 .003 归档收集数据: Archive via Custom Method

T9000 encrypts collected data using a single byte XOR key.[2]
Enterprise T1082 系统信息发现

T9000 gathers and beacons the operating system build number and CPU Architecture (32-bit/64-bit) during installation.[2]
Enterprise T1033 系统所有者/用户发现

T9000 gathers and beacons the username of the logged in account during installation. It will also gather the username of running processes to determine if it is running as SYSTEM.[2]
Enterprise T1124 系统时间发现

T9000 gathers and beacons the system time during installation.[2]
Enterprise T1016 系统网络配置发现

T9000 gathers and beacons the MAC and IP addresses during installation.[2]
Enterprise T1119 自动化收集

T9000 searches removable storage devices for files with a pre-defined list of file extensions (e.g. * .doc, .ppt, .xls, .docx, .pptx, *.xlsx). Any matching files are encrypted and written to a local user directory.[2]
Enterprise T1125 视频捕获

T9000 uses the Skype API to record audio and video calls. It writes encrypted data to %APPDATA%\Intel\Skype.[2]
Enterprise T1518 .001 软件发现: Security Software Discovery

T9000 performs checks for various antivirus and security products during installation.[2]
Enterprise T1123 音频捕获

T9000 uses the Skype API to record audio and video calls. It writes encrypted data to %APPDATA%\Intel\Skype.[2]

References

  1. Moran, N. and Lanstein, A.. (2014, March 25). Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370. Retrieved April 15, 2016.
  1. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.