| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
BACKSPACE uses HTTP as a transport to communicate with its command server. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory. |
| enterprise |
T1547.009 |
Shortcut Modification |
BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
Adversaries can direct BACKSPACE to execute from the command line on infected hosts, or have BACKSPACE create a reverse shell. |
| enterprise |
T1132 |
Data Encoding |
- |
| enterprise |
T1132.002 |
Non-Standard Encoding |
Newer variants of BACKSPACE will encode C2 communications with a custom system. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
Adversaries can direct BACKSPACE to upload files to the C2 Server. |
| enterprise |
T1083 |
File and Directory Discovery |
BACKSPACE allows adversaries to search for files. |
| enterprise |
T1562 |
Impair Defenses |
- |
| enterprise |
T1562.004 |
Disable or Modify System Firewall |
The “ZR” variant of BACKSPACE will check to see if known host-based firewalls are installed on the infected systems. BACKSPACE will attempt to establish a C2 channel, then will examine open windows to identify a pop-up from the firewall software and will simulate a mouse-click to allow the connection to proceed. |
| enterprise |
T1112 |
Modify Registry |
BACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system. |
| enterprise |
T1104 |
Multi-Stage Channels |
BACKSPACE attempts to avoid detection by checking a first stage command and control server to determine if it should connect to the second stage server, which performs “louder” interactions with the malware. |
| enterprise |
T1057 |
Process Discovery |
BACKSPACE may collect information about running processes. |
| enterprise |
T1090 |
Proxy |
- |
| enterprise |
T1090.001 |
Internal Proxy |
The “ZJ” variant of BACKSPACE allows “ZJ link” infections with Internet access to relay traffic from “ZJ listen” to a command server. |
| enterprise |
T1012 |
Query Registry |
BACKSPACE is capable of enumerating and making modifications to an infected system’s Registry. |
| enterprise |
T1082 |
System Information Discovery |
During its initial execution, BACKSPACE extracts operating system information from the infected host. |