S0058 SslMM
SslMM is a full-featured backdoor used by Naikon that has multiple variants. 1
| Item | Value |
|---|---|
| ID | S0058 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 18 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1134 | Access Token Manipulation | SslMM contains a feature to manipulate process privileges and tokens.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.1 |
| enterprise | T1547.009 | Shortcut Modification | To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.1 |
| enterprise | T1008 | Fallback Channels | SslMM has a hard-coded primary and backup C2 string.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | SslMM identifies and kills anti-malware processes.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | SslMM creates a new thread implementing a keylogging facility using Windows Keyboard Accelerators.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.1 |
| enterprise | T1082 | System Information Discovery | SslMM sends information to its hard-coded C2, including OS version, service pack information, processor speed, system name, and OS install date.1 |
| enterprise | T1033 | System Owner/User Discovery | SslMM sends the logged-on username to its hard-coded C2.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0019 | Naikon | 12 |
References
-
Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. ↩↩↩↩↩↩↩↩↩↩↩
-
ThreatConnect Inc. and Defense Group Inc. (DGI). (2015, September 23). Project CameraShy: Closing the Aperture on China’s Unit 78020. Retrieved December 17, 2015. ↩