S0128 BADNEWS
BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. 1 2
| Item | Value |
|---|---|
| ID | S0128 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 31 May 2017 |
| Last Modified | 21 June 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | BADNEWS establishes a backdoor over HTTP.3 |
| enterprise | T1119 | Automated Collection | BADNEWS monitors USB devices and copies files with certain extensions to a predefined directory.2 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | BADNEWS installs a registry Run key to establish persistence.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | BADNEWS is capable of executing commands via cmd.exe.12 |
| enterprise | T1132 | Data Encoding | After encrypting C2 data, BADNEWS converts it into a hexadecimal representation and then encodes it into base64.1 |
| enterprise | T1132.001 | Standard Encoding | BADNEWS encodes C2 traffic with base64.132 |
| enterprise | T1005 | Data from Local System | When it first starts, BADNEWS crawls the victim’s local drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.13 |
| enterprise | T1039 | Data from Network Shared Drive | When it first starts, BADNEWS crawls the victim’s mapped drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.1 |
| enterprise | T1025 | Data from Removable Media | BADNEWS copies files with certain extensions from USB devices to |
| a predefined directory.2 | |||
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | BADNEWS copies documents under 15MB found on the victim system to is the user’s %temp%\SMB\ folder. It also copies files from USB devices to a predefined directory.12 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | BADNEWS encrypts C2 data with a ROR by 3 and an XOR by 0x23.12 |
| enterprise | T1083 | File and Directory Discovery | BADNEWS identifies files with certain extensions from USB devices, then copies them to a predefined directory.2 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.002 | DLL Side-Loading | BADNEWS typically loads its DLL file into a legitimate signed Java or VMware executable.13 |
| enterprise | T1105 | Ingress Tool Transfer | BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.132 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | When it first starts, BADNEWS spawns a new thread to log keystrokes.132 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.001 | Invalid Code Signature | BADNEWS is sometimes signed with an invalid Authenticode certificate in an apparent effort to make it look more legitimate.2 |
| enterprise | T1036.005 | Match Legitimate Name or Location | BADNEWS attempts to hide its payloads using legitimate filenames.3 |
| enterprise | T1106 | Native API | BADNEWS has a command to download an .exe and execute it via CreateProcess API. It can also run with ShellExecute.12 |
| enterprise | T1120 | Peripheral Device Discovery | BADNEWS checks for new hard drives on the victim, such as USB devices, by listening for the WM_DEVICECHANGE window message.12 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.012 | Process Hollowing | BADNEWS has a command to download an .exe and use process hollowing to inject it into a new process.12 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | BADNEWS creates a scheduled task to establish by executing a malicious payload every subsequent minute.3 |
| enterprise | T1113 | Screen Capture | BADNEWS has a command to take a screenshot and send it to the C2 server.13 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.001 | Dead Drop Resolver | BADNEWS collects C2 information via a dead drop resolver.132 |
| enterprise | T1102.002 | Bidirectional Communication | BADNEWS can use multiple C2 channels, including RSS feeds, Github, forums, and blogs.132 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0040 | Patchwork | 12 |
References
-
Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018. ↩↩↩↩↩↩↩↩↩↩↩