DropBook
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1140 | 反混淆/解码文件或信息 |
DropBook can unarchive data downloaded from the C2 to obtain the payload and persistence modules.[1] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
DropBook can execute arbitrary shell commands on the victims' machines.[1][2] |
| .006 | 命令与脚本解释器: Python |
DropBook is a Python-based backdoor compiled with PyInstaller.[1] |
||
| Enterprise | T1083 | 文件和目录发现 |
DropBook can collect the names of all files and folders in the Program Files directories.[1][2] |
|
| Enterprise | T1614 | .001 | 系统位置发现: System Language Discovery |
DropBook has checked for the presence of Arabic language in the infected machine's settings.[2] |
| Enterprise | T1082 | 系统信息发现 |
DropBook has checked for the presence of Arabic language in the infected machine's settings.[1] |
|
| Enterprise | T1102 | 网络服务 |
DropBook can communicate with its operators by exploiting the Simplenote, DropBox, and the social media platform, Facebook, where it can create fake accounts to control the backdoor and receive instructions.[1][2] |
|
| Enterprise | T1105 | 输入工具传输 | ||
| Enterprise | T1567 | 通过网络服务渗出 |
DropBook has used legitimate web services to exfiltrate data.[2] |
|