Skip to content

S0109 WEBC2

WEBC2 is a family of backdoor malware used by APT1 as early as July 2006. WEBC2 backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. 12

Item Value
ID S0109
Associated Names
Version 2.0
Created 31 May 2017
Last Modified 25 August 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell WEBC2 can open an interactive command shell.2
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking Variants of WEBC2 achieve persistence by using DLL search order hijacking, usually by copying the DLL file to %SYSTEMROOT% (C:\WINDOWS\ntshrui.dll).1
enterprise T1105 Ingress Tool Transfer WEBC2 can download and execute a file.2

Groups That Use This Software

ID Name References
G0006 APT1 2


Back to top