Skip to content

S0023 CHOPSTICK

CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. 3 1 2 4 It is tracked separately from the X-Agent for Android.

Item Value
ID S0023
Associated Names Backdoor.SofacyX, SPLM, Xagent, X-Agent, webhp
Type MALWARE
Version 2.2
Created 31 May 2017
Last Modified 14 April 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Backdoor.SofacyX 5
SPLM 1 2
Xagent 1 2
X-Agent 1 2
webhp 2

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Various implementations of CHOPSTICK communicate with C2 over HTTP.1
enterprise T1071.003 Mail Protocols Various implementations of CHOPSTICK communicate with C2 over SMTP and POP3.1
enterprise T1059 Command and Scripting Interpreter CHOPSTICK is capable of performing remote command execution.81
enterprise T1092 Communication Through Removable Media Part of APT28‘s operation involved using CHOPSTICK modules to copy itself to air-gapped machines, using files written to USB sticks to transfer data and command traffic.316
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms CHOPSTICK can use a DGA for Fallback Channels, domains are generated by concatenating words from lists.9
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography CHOPSTICK encrypts C2 communications with RC4.1
enterprise T1573.002 Asymmetric Cryptography CHOPSTICK encrypts C2 communications with TLS.1
enterprise T1008 Fallback Channels CHOPSTICK can switch to a new C2 channel if the current one is broken.1
enterprise T1083 File and Directory Discovery An older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.1
enterprise T1105 Ingress Tool Transfer CHOPSTICK is capable of performing remote file transmission.8
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging CHOPSTICK is capable of performing keylogging.814
enterprise T1112 Modify Registry CHOPSTICK may store RC4 encrypted configuration information in the Windows Registry.3
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy CHOPSTICK used a proxy server between victims and the C2 server.1
enterprise T1012 Query Registry CHOPSTICK provides access to the Windows Registry, which can be used to gather information.3
enterprise T1091 Replication Through Removable Media Part of APT28‘s operation involved using CHOPSTICK modules to copy itself to air-gapped machines and using files written to USB sticks to transfer data and command traffic.367
enterprise T1113 Screen Capture CHOPSTICK has the capability to capture screenshots.4
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery CHOPSTICK checks for antivirus and forensics software.3
enterprise T1497 Virtualization/Sandbox Evasion CHOPSTICK includes runtime checks to identify an analysis environment and prevent execution on it.3

Groups That Use This Software

ID Name References
G0007 APT28 310117

References


  1. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. 

  2. FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. 

  3. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. 

  4. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. 

  5. Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018. 

  6. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015. 

  7. Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022. 

  8. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. 

  9. ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019. 

  10. Kaspersky Lab’s Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. 

  11. Kaspersky Lab’s Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. 

Back to top