Skip to content

S0093 Backdoor.Oldrea

Backdoor.Oldrea is a modular backdoor that used by Dragonfly against energy companies since at least 2013. Backdoor.Oldrea was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.312

Item Value
ID S0093
Associated Names
Type MALWARE
Version 2.0
Created 31 May 2017
Last Modified 12 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.003 Email Account Backdoor.Oldrea collects address book information from Outlook.3
enterprise T1560 Archive Collected Data Backdoor.Oldrea writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server.3
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Backdoor.Oldrea adds Registry Run keys to achieve persistence.31
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Some Backdoor.Oldrea samples contain a publicly available Web browser password recovery tool.3
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Some Backdoor.Oldrea samples use standard Base64 + bzip2, and some use standard Base64 + reverse XOR + RSA-2048 to decrypt data received from C2 servers.3
enterprise T1083 File and Directory Discovery Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.3
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Backdoor.Oldrea contains a cleanup module that removes traces of itself from the victim.3
enterprise T1105 Ingress Tool Transfer Backdoor.Oldrea can download additional modules from C2.1
enterprise T1046 Network Service Discovery Backdoor.Oldrea can use a network scanning module to identify ICS-related ports.1
enterprise T1057 Process Discovery Backdoor.Oldrea collects information about running processes.3
enterprise T1055 Process Injection Backdoor.Oldrea injects itself into explorer.exe.31
enterprise T1018 Remote System Discovery Backdoor.Oldrea can enumerate and map ICS-specific systems in victim environments.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 Backdoor.Oldrea can use rundll32 for execution on compromised hosts.1
enterprise T1082 System Information Discovery Backdoor.Oldrea collects information about the OS and computer name.31
enterprise T1016 System Network Configuration Discovery Backdoor.Oldrea collects information about the Internet adapter configuration.31
enterprise T1033 System Owner/User Discovery Backdoor.Oldrea collects the current username from the victim.3
ics T0802 Automated Collection Using OPC, a component of Backdoor.Oldrea gathers any details about connected devices and sends them back to the C2 for the attackers to analyze. 4
ics T0814 Denial of Service The Backdoor.Oldrea payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications. 5
ics T0861 Point & Tag Identification The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices. 5 4
ics T0846 Remote System Discovery The Backdoor.Oldrea ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network. 6
ics T0888 Remote System Information Discovery The Backdoor.Oldrea payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process. 5 4
ics T0865 Spearphishing Attachment The Backdoor.Oldrea RAT is distributed through a trojanized installer attached to emails. 4
ics T0862 Supply Chain Compromise The Backdoor.Oldrea RAT is distributed through trojanized installers planted on compromised vendor sites. 4
ics T0863 User Execution Execution of Backdoor.Oldrea relies on a user opening a trojanized installer attached to an email. 4 7

Groups That Use This Software

ID Name References
G0035 Dragonfly 31

References