Skip to content

S0137 CORESHELL

CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.1 2

Item Value
ID S0137
Associated Names Sofacy, SOURFACE
Type MALWARE
Version 2.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Sofacy This designation has been used in reporting both to refer to the threat group (APT28) and its associated malware.1 23
SOURFACE 1 23

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols CORESHELL can communicate over HTTP for C2.14
enterprise T1071.003 Mail Protocols CORESHELL can communicate over SMTP and POP3 for C2.14
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder CORESHELL has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder.4
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding CORESHELL C2 messages are Base64-encoded.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography CORESHELL C2 messages are encrypted with custom stream ciphers using six-byte or eight-byte keys.1
enterprise T1105 Ingress Tool Transfer CORESHELL downloads another dropper from its C2 server.1
enterprise T1027 Obfuscated Files or Information CORESHELL obfuscates strings using a custom stream cipher.1
enterprise T1027.001 Binary Padding CORESHELL contains unused machine instructions in a likely attempt to hinder analysis.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 CORESHELL is installed via execution of rundll32 with an export named “init” or “InitW.”4
enterprise T1082 System Information Discovery CORESHELL collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server.1

Groups That Use This Software

ID Name References
G0007 APT28 15

References

Back to top