GrimAgent
GrimAgent is a backdoor that has been used before the deployment of Ryuk ransomware since at least 2020; it is likely used by FIN6 and Wizard Spider.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
GrimAgent can collect data and files from a compromised host.[1] |
|
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
GrimAgent can use an AES key to encrypt C2 communications.[1] |
| .002 | 加密通道: Asymmetric Cryptography |
GrimAgent can use a hardcoded server public RSA key to encrypt the first request to C2.[1] |
||
| Enterprise | T1140 | 反混淆/解码文件或信息 |
GrimAgent can use a decryption algorithm for strings based on Rotate on Right (RoR) and Rotate on Left (RoL) functionality.[1] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder | |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
GrimAgent can use the Windows Command Shell to execute commands, including its own removal.[1] |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
GrimAgent has the ability to use HTTP for C2 communications.[1] |
| Enterprise | T1480 | .002 | 执行保护: Mutual Exclusion |
GrimAgent uses the last 64 bytes of the binary to compute a mutex name. If the generated name is invalid, it will default to the generic |
| Enterprise | T1001 | .001 | 数据混淆: Junk Data |
GrimAgent can pad C2 messages with random generated values.[1] |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding | |
| Enterprise | T1083 | 文件和目录发现 |
GrimAgent has the ability to enumerate files and directories on a compromised host.[1] |
|
| Enterprise | T1106 | 本机API |
GrimAgent can use Native API including |
|
| Enterprise | T1027 | 混淆文件或信息 |
GrimAgent has used Rotate on Right (RoR) and Rotate on Left (RoL) functionality to encrypt strings.[1] |
|
| .001 | Binary Padding |
GrimAgent has the ability to add bytes to change the file hash.[1] |
||
| Enterprise | T1070 | .004 | 移除指标: File Deletion | |
| .009 | 移除指标: Clear Persistence |
GrimAgent can delete previously created tasks on a compromised host.[1] |
||
| Enterprise | T1614 | 系统位置发现 |
GrimAgent can identify the country code on a compromised host.[1] |
|
| .001 | System Language Discovery |
GrimAgent has used |
||
| Enterprise | T1082 | 系统信息发现 |
GrimAgent can collect the OS, and build version on a compromised host.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 | ||
| Enterprise | T1016 | 系统网络配置发现 |
GrimAgent can enumerate the IP and domain of a target system.[1] |
|
| Enterprise | T1497 | .003 | 虚拟化/沙盒规避: Time Based Evasion |
GrimAgent can sleep for 195 - 205 seconds after payload execution and before deleting its task.[1] |
| Enterprise | T1105 | 输入工具传输 |
GrimAgent has the ability to download and execute additional payloads.[1] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
GrimAgent has sent data related to a compromise host over its C2 channel.[1] |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
GrimAgent has the ability to set persistence using the Task Scheduler.[1] |