Skip to content

S0058 SslMM

SslMM is a full-featured backdoor used by Naikon that has multiple variants. 1

Item Value
ID S0058
Associated Names
Type MALWARE
Version 1.1
Created 31 May 2017
Last Modified 18 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation SslMM contains a feature to manipulate process privileges and tokens.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.1
enterprise T1547.009 Shortcut Modification To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.1
enterprise T1008 Fallback Channels SslMM has a hard-coded primary and backup C2 string.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools SslMM identifies and kills anti-malware processes.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging SslMM creates a new thread implementing a keylogging facility using Windows Keyboard Accelerators.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.1
enterprise T1082 System Information Discovery SslMM sends information to its hard-coded C2, including OS version, service pack information, processor speed, system name, and OS install date.1
enterprise T1033 System Owner/User Discovery SslMM sends the logged-on username to its hard-coded C2.1

Groups That Use This Software

ID Name References
G0019 Naikon 12

References

Back to top