S0170 Helminth
Helminth is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable. 1
| Item | Value |
|---|---|
| ID | S0170 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 16 January 2018 |
| Last Modified | 28 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Helminth can use HTTP for C2.1 |
| enterprise | T1071.004 | DNS | Helminth can use DNS for C2.1 |
| enterprise | T1119 | Automated Collection | A Helminth VBScript receives a batch script to execute a set of commands in a command prompt.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Helminth establishes persistence by creating a shortcut in the Start Menu folder.1 |
| enterprise | T1547.009 | Shortcut Modification | Helminth establishes persistence by creating a shortcut.1 |
| enterprise | T1115 | Clipboard Data | The executable version of Helminth has a module to log clipboard contents.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | One version of Helminth uses a PowerShell script.1 |
| enterprise | T1059.003 | Windows Command Shell | Helminth can provide a remote shell. One version of Helminth uses batch scripting.1 |
| enterprise | T1059.005 | Visual Basic | One version of Helminth consists of VBScript scripts.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | For C2 over HTTP, Helminth encodes data with base64 and sends it via the “Cookie” field of HTTP requests. For C2 over DNS, Helminth converts ASCII characters into their hexadecimal values and sends the data in cleartext.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Helminth creates folders to store output from batch scripts prior to sending the information to its C2 server.1 |
| enterprise | T1030 | Data Transfer Size Limits | Helminth splits data into chunks up to 23 bytes and sends the data in DNS queries to its C2 server.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Helminth encrypts data sent to its C2 server over HTTP with RC4.1 |
| enterprise | T1105 | Ingress Tool Transfer | Helminth can download additional files.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | The executable version of Helminth has a module to log keystrokes.1 |
| enterprise | T1027 | Obfuscated Files or Information | The Helminth config file is encrypted with RC4.1 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.001 | Local Groups | Helminth has checked the local administrators group.2 |
| enterprise | T1069.002 | Domain Groups | Helminth has checked for the domain admin group and Exchange Trusted Subsystem groups using the commands net group Exchange Trusted Subsystem /domain and net group domain admins /domain.2 |
| enterprise | T1057 | Process Discovery | Helminth has used Tasklist to get information on processes.2 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Helminth has used a scheduled task for persistence.3 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | Helminth samples have been signed with legitimate, compromised code signing certificates owned by software company AI Squared.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0049 | OilRig | 145 |
References
-
Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. ↩↩↩
-
ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017. ↩↩
-
Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. ↩
-
Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018. ↩