Exaramel for Windows
Exaramel for Windows is a backdoor used for targeting Windows systems. The Linux version is tracked separately under Exaramel for Linux.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description "Windows Check AV" in an apparent attempt to masquerade as a legitimate service.[1] |
| Enterprise | T1112 | 修改注册表 |
Exaramel for Windows adds the configuration to the Registry in XML format.[1] |
|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description "Windows Check AV."[1] |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
Exaramel for Windows has a command to launch a remote shell and executes commands on the victim’s machine.[1] |
| .005 | 命令与脚本解释器: Visual Basic |
Exaramel for Windows has a command to execute VBS scripts on the victim’s machine.[1] |
||
| Enterprise | T1560 | 归档收集数据 |
Exaramel for Windows automatically encrypts files before sending them to the C2 server.[1] |
|
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
Exaramel for Windows specifies a path to store files scheduled for exfiltration.[1] |
| Enterprise | T1027 | .011 | 混淆文件或信息: Fileless Storage |
Exaramel for Windows stores the backdoor's configuration in the Registry in XML format.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team |