Neoichor

Neoichor is C2 malware used by Ke3chang since at least 2019; similar malware families used by the group include Leeson and Numbldea.^[1]

ID: S0691

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 22 March 2022

Last Modified: 11 April 2022

Techniques Used

Domain	ID		Name	Use
Enterprise	T1005		从本地系统获取数据	Neoichor can upload files from a victim's machine.^[1]
Enterprise	T1112		修改注册表	Neoichor has the ability to configure browser settings by modifying Registry entries under `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer`.^[1]
Enterprise	T1071	.001	应用层协议: Web Protocols	Neoichor can use HTTP for C2 communications.^[1]
Enterprise	T1070		移除指标	Neoichor can clear the browser history on a compromised host by changing the `ClearBrowsingHistoryOnExit` value to 1 in the `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy` Registry key.^[1]
Enterprise	T1614	.001	系统位置发现: System Language Discovery	Neoichor can identify the system language on a compromised host.^[1]
Enterprise	T1082		系统信息发现	Neoichor can collect the OS version and computer name from a compromised host.^[1]
Enterprise	T1033		系统所有者/用户发现	Neoichor can collect the user name from a victim's machine.^[1]
Enterprise	T1016		系统网络配置发现	Neoichor can gather the IP address from an infected host.^[1]
		.001	Internet Connection Discovery	Neoichor can check for Internet connectivity by contacting bing[.]com with the request format `bing[.]com?id=<GetTickCount>`.^[1]
Enterprise	T1105		输入工具传输	Neoichor can download additional files onto a compromised host.^[1]
Enterprise	T1559	.001	进程间通信: Component Object Model	Neoichor can use the Internet Explorer (IE) COM interface to connect and receive commands from C2.^[1]

Groups That Use This Software

ID	Name	References
G0004	Ke3chang	^[1]

References

MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.