S0063 SHOTPUT
SHOTPUT is a custom backdoor used by APT3. 1
| Item | Value |
|---|---|
| ID | S0063 |
| Associated Names | Backdoor.APT.CookieCutter, Pirpi |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Backdoor.APT.CookieCutter | 2 |
| Pirpi | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | SHOTPUT has a command to retrieve information about connected users.3 |
| enterprise | T1083 | File and Directory Discovery | SHOTPUT has a command to obtain a directory listing.3 |
| enterprise | T1027 | Obfuscated Files or Information | SHOTPUT is obscured using XOR encoding and appended to a valid GIF file.13 |
| enterprise | T1057 | Process Discovery | SHOTPUT has a command to obtain a process listing.3 |
| enterprise | T1018 | Remote System Discovery | SHOTPUT has a command to list all servers in the domain, as well as one to locate domain controllers on a domain.3 |
| enterprise | T1049 | System Network Connections Discovery | SHOTPUT uses netstat to list TCP connection status.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0022 | APT3 | 1 |
References
-
Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016. ↩↩↩
-
Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016. ↩↩
-
Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016. ↩↩↩↩↩↩