Skip to content

S0128 BADNEWS

BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. 1 2

Item Value
ID S0128
Associated Names
Type MALWARE
Version 1.2
Created 31 May 2017
Last Modified 21 June 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols BADNEWS establishes a backdoor over HTTP.3
enterprise T1119 Automated Collection BADNEWS monitors USB devices and copies files with certain extensions to a predefined directory.2
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder BADNEWS installs a registry Run key to establish persistence.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell BADNEWS is capable of executing commands via cmd.exe.12
enterprise T1132 Data Encoding After encrypting C2 data, BADNEWS converts it into a hexadecimal representation and then encodes it into base64.1
enterprise T1132.001 Standard Encoding BADNEWS encodes C2 traffic with base64.132
enterprise T1005 Data from Local System When it first starts, BADNEWS crawls the victim’s local drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.13
enterprise T1039 Data from Network Shared Drive When it first starts, BADNEWS crawls the victim’s mapped drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.1
enterprise T1025 Data from Removable Media BADNEWS copies files with certain extensions from USB devices to
a predefined directory.2
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging BADNEWS copies documents under 15MB found on the victim system to is the user’s %temp%\SMB\ folder. It also copies files from USB devices to a predefined directory.12
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography BADNEWS encrypts C2 data with a ROR by 3 and an XOR by 0x23.12
enterprise T1083 File and Directory Discovery BADNEWS identifies files with certain extensions from USB devices, then copies them to a predefined directory.2
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading BADNEWS typically loads its DLL file into a legitimate signed Java or VMware executable.13
enterprise T1105 Ingress Tool Transfer BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.132
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging When it first starts, BADNEWS spawns a new thread to log keystrokes.132
enterprise T1036 Masquerading -
enterprise T1036.001 Invalid Code Signature BADNEWS is sometimes signed with an invalid Authenticode certificate in an apparent effort to make it look more legitimate.2
enterprise T1036.005 Match Legitimate Name or Location BADNEWS attempts to hide its payloads using legitimate filenames.3
enterprise T1106 Native API BADNEWS has a command to download an .exe and execute it via CreateProcess API. It can also run with ShellExecute.12
enterprise T1120 Peripheral Device Discovery BADNEWS checks for new hard drives on the victim, such as USB devices, by listening for the WM_DEVICECHANGE window message.12
enterprise T1055 Process Injection -
enterprise T1055.012 Process Hollowing BADNEWS has a command to download an .exe and use process hollowing to inject it into a new process.12
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task BADNEWS creates a scheduled task to establish by executing a malicious payload every subsequent minute.3
enterprise T1113 Screen Capture BADNEWS has a command to take a screenshot and send it to the C2 server.13
enterprise T1102 Web Service -
enterprise T1102.001 Dead Drop Resolver BADNEWS collects C2 information via a dead drop resolver.132
enterprise T1102.002 Bidirectional Communication BADNEWS can use multiple C2 channels, including RSS feeds, Github, forums, and blogs.132

Groups That Use This Software

ID Name References
G0040 Patchwork 12

References

Back to top