S0137 CORESHELL
CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.2 1
| Item | Value |
|---|---|
| ID | S0137 |
| Associated Names | Sofacy, SOURFACE |
| Type | MALWARE |
| Version | 2.1 |
| Created | 31 May 2017 |
| Last Modified | 26 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Sofacy | This designation has been used in reporting both to refer to the threat group (APT28) and its associated malware.2 13 |
| SOURFACE | 2 13 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | CORESHELL can communicate over HTTP for C2.24 |
| enterprise | T1071.003 | Mail Protocols | CORESHELL can communicate over SMTP and POP3 for C2.24 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | CORESHELL has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder.4 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | CORESHELL C2 messages are Base64-encoded.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | CORESHELL C2 messages are encrypted with custom stream ciphers using six-byte or eight-byte keys.2 |
| enterprise | T1105 | Ingress Tool Transfer | CORESHELL downloads another dropper from its C2 server.2 |
| enterprise | T1027 | Obfuscated Files or Information | CORESHELL obfuscates strings using a custom stream cipher.2 |
| enterprise | T1027.001 | Binary Padding | CORESHELL contains unused machine instructions in a likely attempt to hinder analysis.2 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | CORESHELL is installed via execution of rundll32 with an export named “init” or “InitW.”4 |
| enterprise | T1082 | System Information Discovery | CORESHELL collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0007 | APT28 | 25 |
References
-
FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. ↩↩↩
-
FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. ↩↩
-
Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015. ↩↩↩↩
-
Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022. ↩