S0045 ADVSTORESHELL
ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. 1 2
| Item | Value |
|---|---|
| ID | S0045 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | ADVSTORESHELL connects to port 80 of a C2 server using Wininet API. Data is exchanged via HTTP POSTs.1 |
| enterprise | T1560 | Archive Collected Data | ADVSTORESHELL encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration.2 |
| enterprise | T1560.003 | Archive via Custom Method | ADVSTORESHELL compresses output data generated by command execution with a custom implementation of the Lempel–Ziv–Welch (LZW) algorithm.2 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | ADVSTORESHELL achieves persistence by adding itself to the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key.123 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | ADVSTORESHELL can create a remote shell and run a given command.23 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | ADVSTORESHELL stores output from command execution in a .dat file in the %TEMP% directory.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | A variant of ADVSTORESHELL encrypts some C2 with 3DES.3 |
| enterprise | T1573.002 | Asymmetric Cryptography | A variant of ADVSTORESHELL encrypts some C2 with RSA.3 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.015 | Component Object Model Hijacking | Some variants of ADVSTORESHELL achieve persistence by registering the payload as a Shell Icon Overlay handler COM object.2 |
| enterprise | T1041 | Exfiltration Over C2 Channel | ADVSTORESHELL exfiltrates data over the same channel used for C2.2 |
| enterprise | T1083 | File and Directory Discovery | ADVSTORESHELL can list files and directories.23 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | ADVSTORESHELL can delete files and directories.2 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | ADVSTORESHELL can perform keylogging.23 |
| enterprise | T1112 | Modify Registry | ADVSTORESHELL is capable of setting and deleting Registry values.3 |
| enterprise | T1106 | Native API | ADVSTORESHELL is capable of starting a process using CreateProcess.3 |
| enterprise | T1027 | Obfuscated Files or Information | Most of the strings in ADVSTORESHELL are encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed. API function names are also reversed, presumably to avoid detection in memory.13 |
| enterprise | T1120 | Peripheral Device Discovery | ADVSTORESHELL can list connected devices.2 |
| enterprise | T1057 | Process Discovery | ADVSTORESHELL can list running processes.2 |
| enterprise | T1012 | Query Registry | ADVSTORESHELL can enumerate registry keys.23 |
| enterprise | T1029 | Scheduled Transfer | ADVSTORESHELL collects, compresses, encrypts, and exfiltrates data to the C2 server every 10 minutes.2 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | ADVSTORESHELL has used rundll32.exe in a Registry value to establish persistence.3 |
| enterprise | T1082 | System Information Discovery | ADVSTORESHELL can run Systeminfo to gather information about the victim.23 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0007 | APT28 | 14 |
References
-
Kaspersky Lab’s Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. ↩↩↩↩↩↩
-
ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. ↩