S0023 CHOPSTICK
CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. 3 1 2 4 It is tracked separately from the X-Agent for Android.
| Item | Value |
|---|---|
| ID | S0023 |
| Associated Names | Backdoor.SofacyX, SPLM, Xagent, X-Agent, webhp |
| Type | MALWARE |
| Version | 2.3 |
| Created | 31 May 2017 |
| Last Modified | 26 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Backdoor.SofacyX | 5 |
| SPLM | 1 2 |
| Xagent | 1 2 |
| X-Agent | 1 2 |
| webhp | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Various implementations of CHOPSTICK communicate with C2 over HTTP.1 |
| enterprise | T1071.003 | Mail Protocols | Various implementations of CHOPSTICK communicate with C2 over SMTP and POP3.1 |
| enterprise | T1059 | Command and Scripting Interpreter | CHOPSTICK is capable of performing remote command execution.61 |
| enterprise | T1092 | Communication Through Removable Media | Part of APT28‘s operation involved using CHOPSTICK modules to copy itself to air-gapped machines, using files written to USB sticks to transfer data and command traffic.317 |
| enterprise | T1568 | Dynamic Resolution | - |
| enterprise | T1568.002 | Domain Generation Algorithms | CHOPSTICK can use a DGA for Fallback Channels, domains are generated by concatenating words from lists.9 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | CHOPSTICK encrypts C2 communications with RC4.1 |
| enterprise | T1573.002 | Asymmetric Cryptography | CHOPSTICK encrypts C2 communications with TLS.1 |
| enterprise | T1008 | Fallback Channels | CHOPSTICK can switch to a new C2 channel if the current one is broken.1 |
| enterprise | T1083 | File and Directory Discovery | An older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.1 |
| enterprise | T1105 | Ingress Tool Transfer | CHOPSTICK is capable of performing remote file transmission.6 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | CHOPSTICK is capable of performing keylogging.614 |
| enterprise | T1112 | Modify Registry | CHOPSTICK may modify Registry keys to store RC4 encrypted configuration information.3 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.011 | Fileless Storage | CHOPSTICK may store RC4 encrypted configuration information in the Windows Registry.3 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.001 | Internal Proxy | CHOPSTICK used a proxy server between victims and the C2 server.1 |
| enterprise | T1012 | Query Registry | CHOPSTICK provides access to the Windows Registry, which can be used to gather information.3 |
| enterprise | T1091 | Replication Through Removable Media | Part of APT28‘s operation involved using CHOPSTICK modules to copy itself to air-gapped machines and using files written to USB sticks to transfer data and command traffic.378 |
| enterprise | T1113 | Screen Capture | CHOPSTICK has the capability to capture screenshots.4 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | CHOPSTICK checks for antivirus and forensics software.3 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | CHOPSTICK includes runtime checks to identify an analysis environment and prevent execution on it.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0007 | APT28 | 311108 |
References
-
ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. ↩↩↩↩↩
-
FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. ↩↩↩↩↩↩↩↩↩
-
Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. ↩↩↩
-
Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018. ↩
-
Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. ↩↩↩
-
Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015. ↩↩
-
Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022. ↩↩
-
ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019. ↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. ↩
-
Kaspersky Lab’s Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. ↩