Chrommme

Chrommme is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with Gelsemium malware.^[1]

ID: S0667

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 01 December 2021

Last Modified: 11 April 2024

Techniques Used

Domain	ID		Name	Use
Enterprise	T1005		从本地系统获取数据	Chrommme can collect data from a local system.^[1]
Enterprise	T1140		反混淆/解码文件或信息	Chrommme can decrypt its encrypted internal code.^[1]
Enterprise	T1113		屏幕捕获	Chrommme has the ability to capture screenshots.^[1]
Enterprise	T1560		归档收集数据	Chrommme can encrypt and store on disk collected data before exfiltration.^[1]
Enterprise	T1074	.001	数据分段: Local Data Staging	Chrommme can store captured system information locally prior to exfiltration.^[1]
Enterprise	T1106		本机API	Chrommme can use Windows API including `WinExec` for execution.^[1]
Enterprise	T1027	.013	混淆文件或信息: Encrypted/Encoded File	Chrommme can encrypt sections of its code to evade detection.^[1]
Enterprise	T1082		系统信息发现	Chrommme has the ability to list drives and obtain the computer name of a compromised host.^[1]
Enterprise	T1033		系统所有者/用户发现	Chrommme can retrieve the username from a targeted system.^[1]
Enterprise	T1016		系统网络配置发现	Chrommme can enumerate the IP address of a compromised host.^[1]
Enterprise	T1105		输入工具传输	Chrommme can download its code from C2.^[1]
Enterprise	T1041		通过C2信道渗出	Chrommme can exfiltrate collected data via C2.^[1]
Enterprise	T1029		预定传输	Chrommme can set itself to sleep before requesting a new command from C2.^[1]

References

Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.

Chrommme

Enterprise Layer

Techniques Used

References