Skip to content

S0045 ADVSTORESHELL

ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. 1 2

Item Value
ID S0045
Associated Names
Type MALWARE
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols ADVSTORESHELL connects to port 80 of a C2 server using Wininet API. Data is exchanged via HTTP POSTs.1
enterprise T1560 Archive Collected Data ADVSTORESHELL encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration.2
enterprise T1560.003 Archive via Custom Method ADVSTORESHELL compresses output data generated by command execution with a custom implementation of the Lempel–Ziv–Welch (LZW) algorithm.2
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder ADVSTORESHELL achieves persistence by adding itself to the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key.123
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell ADVSTORESHELL can create a remote shell and run a given command.23
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging ADVSTORESHELL stores output from command execution in a .dat file in the %TEMP% directory.2
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography A variant of ADVSTORESHELL encrypts some C2 with 3DES.3
enterprise T1573.002 Asymmetric Cryptography A variant of ADVSTORESHELL encrypts some C2 with RSA.3
enterprise T1546 Event Triggered Execution -
enterprise T1546.015 Component Object Model Hijacking Some variants of ADVSTORESHELL achieve persistence by registering the payload as a Shell Icon Overlay handler COM object.2
enterprise T1041 Exfiltration Over C2 Channel ADVSTORESHELL exfiltrates data over the same channel used for C2.2
enterprise T1083 File and Directory Discovery ADVSTORESHELL can list files and directories.23
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion ADVSTORESHELL can delete files and directories.2
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging ADVSTORESHELL can perform keylogging.23
enterprise T1112 Modify Registry ADVSTORESHELL is capable of setting and deleting Registry values.3
enterprise T1106 Native API ADVSTORESHELL is capable of starting a process using CreateProcess.3
enterprise T1027 Obfuscated Files or Information Most of the strings in ADVSTORESHELL are encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed. API function names are also reversed, presumably to avoid detection in memory.13
enterprise T1120 Peripheral Device Discovery ADVSTORESHELL can list connected devices.2
enterprise T1057 Process Discovery ADVSTORESHELL can list running processes.2
enterprise T1012 Query Registry ADVSTORESHELL can enumerate registry keys.23
enterprise T1029 Scheduled Transfer ADVSTORESHELL collects, compresses, encrypts, and exfiltrates data to the C2 server every 10 minutes.2
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 ADVSTORESHELL has used rundll32.exe in a Registry value to establish persistence.3
enterprise T1082 System Information Discovery ADVSTORESHELL can run Systeminfo to gather information about the victim.23

Groups That Use This Software

ID Name References
G0007 APT28 14

References

Back to top