S0015 Ixeshe
Ixeshe is a malware family that has been used since at least 2009 against targets in East Asia. 1
| Item | Value |
|---|---|
| ID | S0015 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 31 May 2017 |
| Last Modified | 20 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Ixeshe uses HTTP for command and control.12 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Ixeshe can achieve persistence by adding itself to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run Registry key.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Ixeshe is capable of executing commands via cmd.2 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Ixeshe uses custom Base64 encoding schemes to obfuscate command and control traffic in the message body of HTTP requests.12 |
| enterprise | T1005 | Data from Local System | Ixeshe can collect data from a local system.2 |
| enterprise | T1083 | File and Directory Discovery | Ixeshe can list file and directory information.2 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | Ixeshe sets its own executable file’s attributes to hidden.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Ixeshe has a command to delete a file from the machine.2 |
| enterprise | T1105 | Ingress Tool Transfer | Ixeshe can download and execute additional files.2 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Ixeshe has used registry values and file names associated with Adobe software, such as AcroRd32.exe.2 |
| enterprise | T1057 | Process Discovery | Ixeshe can list running processes.2 |
| enterprise | T1082 | System Information Discovery | Ixeshe collects the computer name of the victim’s system during the initial infection.2 |
| enterprise | T1016 | System Network Configuration Discovery | Ixeshe enumerates the IP address, network proxy settings, and domain name from a victim’s system.2 |
| enterprise | T1033 | System Owner/User Discovery | Ixeshe collects the username from the victim’s machine.2 |
| enterprise | T1007 | System Service Discovery | Ixeshe can list running services.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0005 | APT12 | 13 |
References
-
Moran, N., & Villeneuve, N. (2013, August 12). Survival of the Fittest: New York Times Attackers Evolve Quickly [Blog]. Retrieved November 12, 2014. ↩↩↩↩
-
Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014. ↩