ShimRat
ShimRat has been used by the suspected China-based adversary Mofang in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name "ShimRat" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1546 | .011 | 事件触发执行: Application Shimming |
ShimRat has installed shim databases in the |
| Enterprise | T1005 | 从本地系统获取数据 |
ShimRat has the capability to upload collected files to a C2.[1] |
|
| Enterprise | T1090 | .002 | 代理: External Proxy | |
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
ShimRat can impersonate Windows services and antivirus products to avoid detection on compromised systems.[1] |
| Enterprise | T1112 | 修改注册表 |
ShimRat has registered two registry keys for shim databases.[1] |
|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
ShimRat has installed a Windows service to maintain persistence on victim machines.[1] |
| Enterprise | T1574 | 劫持执行流 |
ShimRat can hijack the cryptbase.dll within migwiz.exe to escalate privileges and bypass UAC controls.[1] |
|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
ShimRat has decompressed its core DLL using shellcode once an impersonated antivirus component was running on a system.[1] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
ShimRat has installed a registry based start-up key |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
ShimRat can be issued a command shell function from the C2.[1] |
| Enterprise | T1008 | 回退信道 |
ShimRat has used a secondary C2 location if the first was unavailable.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
ShimRat communicated over HTTP and HTTPS with C2 servers.[1] |
| Enterprise | T1083 | 文件和目录发现 | ||
| Enterprise | T1106 | 本机API |
ShimRat has used Windows API functions to install the service and shim.[1] |
|
| Enterprise | T1027 | 混淆文件或信息 |
ShimRat has been delivered as a package that includes compressed DLL and shellcode payloads within a .dat file.[1] |
|
| .002 | Software Packing |
ShimRat's loader has been packed with the compressed ShimRat core DLL and the legitimate DLL for it to hijack.[1] |
||
| Enterprise | T1548 | .002 | 滥用权限提升控制机制: Bypass User Account Control |
ShimRat has hijacked the cryptbase.dll within migwiz.exe to escalate privileges. This prevented the User Access Control window from appearing.[1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
ShimRat can uninstall itself from compromised hosts, as well create and modify directories, delete, move, copy, and rename files.[1] |
| Enterprise | T1135 | 网络共享发现 |
ShimRat can enumerate connected drives for infected host machines.[1] |
|
| Enterprise | T1105 | 输入工具传输 | ||
| Enterprise | T1029 | 预定传输 | ||