S0087 Hi-Zor
Hi-Zor is a remote access tool (RAT) that has characteristics similar to Sakula. It was used in a campaign named INOCNATION. 1
| Item | Value |
|---|---|
| ID | S0087 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 09 February 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Hi-Zor communicates with its C2 server over HTTPS.2 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Hi-Zor creates a Registry Run key to establish persistence.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Hi-Zor has the ability to create a reverse shell.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Hi-Zor encrypts C2 traffic with a double XOR using two distinct single-byte keys.1 |
| enterprise | T1573.002 | Asymmetric Cryptography | Hi-Zor encrypts C2 traffic with TLS.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Hi-Zor deletes its RAT installer file as it executes its DLL payload file.2 |
| enterprise | T1105 | Ingress Tool Transfer | Hi-Zor has the ability to upload and download files from its C2 server.2 |
| enterprise | T1027 | Obfuscated Files or Information | Hi-Zor uses various XOR techniques to obfuscate its components.2 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.010 | Regsvr32 | Hi-Zor executes using regsvr32.exe called from the Registry Run Keys / Startup Folder persistence mechanism.2 |