Skip to content

S0093 Backdoor.Oldrea

Backdoor.Oldrea is a modular backdoor that used by Dragonfly against energy companies since at least 2013. Backdoor.Oldrea was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.312

Item Value
ID S0093
Associated Names
Version 2.0
Created 31 May 2017
Last Modified 20 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.003 Email Account Backdoor.Oldrea collects address book information from Outlook.3
enterprise T1560 Archive Collected Data Backdoor.Oldrea writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server.3
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Backdoor.Oldrea adds Registry Run keys to achieve persistence.31
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Some Backdoor.Oldrea samples contain a publicly available Web browser password recovery tool.3
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Some Backdoor.Oldrea samples use standard Base64 + bzip2, and some use standard Base64 + reverse XOR + RSA-2048 to decrypt data received from C2 servers.3
enterprise T1083 File and Directory Discovery Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.3
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion Backdoor.Oldrea contains a cleanup module that removes traces of itself from the victim.3
enterprise T1105 Ingress Tool Transfer Backdoor.Oldrea can download additional modules from C2.1
enterprise T1046 Network Service Discovery Backdoor.Oldrea can use a network scanning module to identify ICS-related ports.1
enterprise T1057 Process Discovery Backdoor.Oldrea collects information about running processes.3
enterprise T1055 Process Injection Backdoor.Oldrea injects itself into explorer.exe.31
enterprise T1018 Remote System Discovery Backdoor.Oldrea can enumerate and map ICS-specific systems in victim environments.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 Backdoor.Oldrea can use rundll32 for execution on compromised hosts.1
enterprise T1082 System Information Discovery Backdoor.Oldrea collects information about the OS and computer name.31
enterprise T1016 System Network Configuration Discovery Backdoor.Oldrea collects information about the Internet adapter configuration.31
enterprise T1033 System Owner/User Discovery Backdoor.Oldrea collects the current username from the victim.3

Groups That Use This Software

ID Name References
G0035 Dragonfly 31


Back to top