BADNEWS
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1025 | 从可移动介质获取数据 |
BADNEWS copies files with certain extensions from USB devices toa predefined directory.[2] |
|
| Enterprise | T1005 | 从本地系统获取数据 |
When it first starts, BADNEWS crawls the victim's local drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.[1][3] |
|
| Enterprise | T1039 | 从网络共享驱动器获取数据 |
When it first starts, BADNEWS crawls the victim's mapped drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.[1] |
|
| Enterprise | T1036 | .001 | 伪装: Invalid Code Signature |
BADNEWS is sometimes signed with an invalid Authenticode certificate in an apparent effort to make it look more legitimate.[2] |
| .005 | 伪装: Match Legitimate Name or Location |
BADNEWS attempts to hide its payloads using legitimate filenames.[3] |
||
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
BADNEWS encrypts C2 data with a ROR by 3 and an XOR by 0x23.[1][2] |
| Enterprise | T1574 | .002 | 劫持执行流: DLL Side-Loading |
BADNEWS typically loads its DLL file into a legitimate signed Java or VMware executable.[1][3] |
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
BADNEWS installs a registry Run key to establish persistence.[1] |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| Enterprise | T1120 | 外围设备发现 |
BADNEWS checks for new hard drives on the victim, such as USB devices, by listening for the WM_DEVICECHANGE window message.[1][2] |
|
| Enterprise | T1113 | 屏幕捕获 |
BADNEWS has a command to take a screenshot and send it to the C2 server.[1][3] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
BADNEWS copies documents under 15MB found on the victim system to is the user's |
| Enterprise | T1132 | 数据编码 |
After encrypting C2 data, BADNEWS converts it into a hexadecimal representation and then encodes it into base64.[1] |
|
| .001 | Standard Encoding | |||
| Enterprise | T1083 | 文件和目录发现 |
BADNEWS identifies files with certain extensions from USB devices, then copies them to a predefined directory.[2] |
|
| Enterprise | T1106 | 本机API |
BADNEWS has a command to download an .exe and execute it via CreateProcess API. It can also run with ShellExecute.[1][2] |
|
| Enterprise | T1102 | .001 | 网络服务: Dead Drop Resolver |
BADNEWS collects C2 information via a dead drop resolver.[1][3][2] |
| .002 | 网络服务: Bidirectional Communication |
BADNEWS can use multiple C2 channels, including RSS feeds, Github, forums, and blogs.[1][3][2] |
||
| Enterprise | T1119 | 自动化收集 |
BADNEWS monitors USB devices and copies files with certain extensions to a predefined directory.[2] |
|
| Enterprise | T1105 | 输入工具传输 |
BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.[1][3][2] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
When it first starts, BADNEWS spawns a new thread to log keystrokes.[1][3][2] |
| Enterprise | T1055 | .012 | 进程注入: Process Hollowing |
BADNEWS has a command to download an .exe and use process hollowing to inject it into a new process.[1][2] |
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
BADNEWS creates a scheduled task to establish by executing a malicious payload every subsequent minute.[3] |