Helminth
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1115 | 剪贴板数据 |
The executable version of Helminth has a module to log clipboard contents.[1] |
|
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
Helminth encrypts data sent to its C2 server over HTTP with RC4.[1] |
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Helminth establishes persistence by creating a shortcut in the Start Menu folder.[1] |
| .009 | 启动或登录自动启动执行: Shortcut Modification | |||
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell | |
| .003 | 命令与脚本解释器: Windows Command Shell |
Helminth can provide a remote shell. One version of Helminth uses batch scripting.[1] |
||
| .005 | 命令与脚本解释器: Visual Basic | |||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| .004 | 应用层协议: DNS | |||
| Enterprise | T1030 | 数据传输大小限制 |
Helminth splits data into chunks up to 23 bytes and sends the data in DNS queries to its C2 server.[1] |
|
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
Helminth creates folders to store output from batch scripts prior to sending the information to its C2 server.[1] |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
For C2 over HTTP, Helminth encodes data with base64 and sends it via the "Cookie" field of HTTP requests. For C2 over DNS, Helminth converts ASCII characters into their hexadecimal values and sends the data in cleartext.[1] |
| Enterprise | T1069 | .001 | 权限组发现: Local Groups | |
| .002 | 权限组发现: Domain Groups |
Helminth has checked for the domain admin group and Exchange Trusted Subsystem groups using the commands |
||
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File | |
| Enterprise | T1119 | 自动化收集 |
A Helminth VBScript receives a batch script to execute a set of commands in a command prompt.[1] |
|
| Enterprise | T1105 | 输入工具传输 | ||
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
The executable version of Helminth has a module to log keystrokes.[1] |
| Enterprise | T1057 | 进程发现 |
Helminth has used Tasklist to get information on processes.[2] |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task | |
| Enterprise | T1553 | .002 | 颠覆信任控制: Code Signing |
Helminth samples have been signed with legitimate, compromised code signing certificates owned by software company AI Squared.[3] |
Groups That Use This Software
References
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
- ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.