S0009 Hikit
Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.21
| Item | Value |
|---|---|
| ID | S0009 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.3 |
| Created | 31 May 2017 |
| Last Modified | 20 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Hikit has used HTTP for C2.3 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Hikit has the ability to create a remote shell and run given commands.3 |
| enterprise | T1005 | Data from Local System | Hikit can upload files from compromised machines.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Hikit performs XOR encryption.2 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL Search Order Hijacking | Hikit has used DLL Search Order Hijacking to load oci.dll as a persistence mechanism.1 |
| enterprise | T1105 | Ingress Tool Transfer | Hikit has the ability to download files to a compromised host.2 |
| enterprise | T1566 | Phishing | Hikit has been spread through spear phishing.2 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.001 | Internal Proxy | Hikit supports peer connections.2 |
| enterprise | T1014 | Rootkit | Hikit is a Rootkit that has been used by Axiom.1 3 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.004 | Install Root Certificate | Hikit uses certmgr.exe -add GlobalSign.cer -c -s -r localMachine Root and certmgr.exe -add GlobalSign.cer -c -s -r localMachineTrustedPublisher to install a self-generated certificate to the local trust store as a root CA and Trusted Publisher.3 |
| enterprise | T1553.006 | Code Signing Policy Modification | Hikit has attempted to disable driver signing verification by tampering with several Registry keys prior to the loading of a rootkit driver component.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0001 | Axiom | 24 |
References
-
Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016. ↩↩↩
-
Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. ↩↩↩↩↩↩↩
-
Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020. ↩↩↩↩↩
-
Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016. ↩