S0109 WEBC2
WEBC2 is a family of backdoor malware used by APT1 as early as July 2006. WEBC2 backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. 12
| Item | Value |
|---|---|
| ID | S0109 |
| Associated Names | |
| Type | MALWARE |
| Version | 2.0 |
| Created | 31 May 2017 |
| Last Modified | 25 August 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | WEBC2 can open an interactive command shell.2 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL Search Order Hijacking | Variants of WEBC2 achieve persistence by using DLL search order hijacking, usually by copying the DLL file to %SYSTEMROOT% (C:\WINDOWS\ntshrui.dll).1 |
| enterprise | T1105 | Ingress Tool Transfer | WEBC2 can download and execute a file.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0006 | APT1 | 2 |