S0043 BUBBLEWRAP

BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. ¹

Item	Value
ID	S0043
Associated Names
Type	MALWARE
Version	1.1
Created	31 May 2017
Last Modified	30 March 2020
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1071	Application Layer Protocol	-
enterprise	T1071.001	Web Protocols	BUBBLEWRAP can communicate using HTTP or HTTPS.¹
enterprise	T1095	Non-Application Layer Protocol	BUBBLEWRAP can communicate using SOCKS.¹
enterprise	T1082	System Information Discovery	BUBBLEWRAP collects system information, including the operating system version and hostname.¹

Groups That Use This Software

ID	Name	References
G0018	admin@338	¹

References

FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015. ↩↩↩↩↩