1. Home
  2. Software
  3. BADFLICK

BADFLICK

BADFLICK is a backdoor used by Leviathan in spearphishing campaigns first reported in 2018 that targeted the U.S. engineering and maritime industries.[1][2]

ID: S0642
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 26 August 2021
Last Modified: 15 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

BADFLICK has uploaded files from victims' machines.[2]
Enterprise T1140 反混淆/解码文件或信息

BADFLICK can decode shellcode using a custom rotating XOR cipher.[2]
Enterprise T1560 .002 归档收集数据: Archive via Library

BADFLICK has compressed data using the aPLib compression library.[2]
Enterprise T1083 文件和目录发现

BADFLICK has searched for files on the infected host.[2]
Enterprise T1204 .002 用户执行: Malicious File

BADFLICK has relied upon users clicking on a malicious attachment delivered through spearphishing.[2]
Enterprise T1082 系统信息发现

BADFLICK has captured victim computer name, memory space, and CPU details.[2]
Enterprise T1016 系统网络配置发现

BADFLICK has captured victim IP address details.[2]
Enterprise T1497 .003 虚拟化/沙盒规避: Time Based Evasion

BADFLICK has delayed communication to the actor-controlled IP address by 5 minutes.[2]
Enterprise T1105 输入工具传输

BADFLICK has download files from its C2 server.[2]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

BADFLICK has been distributed via spearphishing campaigns containing malicious Microsoft Word documents.[2]

Groups That Use This Software

ID Name References
G0065 Leviathan

[1][2]

References

  1. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  1. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.