S0017 BISCUIT
BISCUIT is a backdoor that has been used by APT1 since as early as 2007. 1
| Item | Value |
|---|---|
| ID | S0017 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 31 May 2017 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | BISCUIT has a command to launch a command shell on the system.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | BISCUIT uses SSL for encrypting C2 communications.2 |
| enterprise | T1008 | Fallback Channels | BISCUIT malware contains a secondary fallback command and control server that is contacted after the primary command and control server.12 |
| enterprise | T1105 | Ingress Tool Transfer | BISCUIT has a command to download a file from the C2 server.2 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | BISCUIT can capture keystrokes.2 |
| enterprise | T1057 | Process Discovery | BISCUIT has a command to enumerate running processes and identify their owners.2 |
| enterprise | T1113 | Screen Capture | BISCUIT has a command to periodically take screenshots of the system.2 |
| enterprise | T1082 | System Information Discovery | BISCUIT has a command to collect the processor type, operation system, computer name, uptime, and whether the system is a laptop or PC.2 |
| enterprise | T1033 | System Owner/User Discovery | BISCUIT has a command to gather the username from the system.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0006 | APT1 | 1 |