S0172 Reaver
Reaver is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the “Five Poisons,” which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of Control Panel items.1
| Item | Value |
|---|---|
| ID | S0172 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 16 January 2018 |
| Last Modified | 09 February 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Some Reaver variants use HTTP for C2.1 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.003 | Archive via Custom Method | Reaver encrypts collected data with an incremental XOR key prior to exfiltration.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.1 |
| enterprise | T1547.009 | Shortcut Modification | Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Reaver installs itself as a new service.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Reaver deletes the original dropped file from the victim.1 |
| enterprise | T1095 | Non-Application Layer Protocol | Some Reaver variants use raw TCP for C2.1 |
| enterprise | T1027 | Obfuscated Files or Information | Reaver encrypts some of its files with XOR.1 |
| enterprise | T1012 | Query Registry | Reaver queries the Registry to determine the correct Startup path to use for persistence.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.002 | Control Panel | Reaver drops and executes a malicious CPL file as its payload.1 |
| enterprise | T1082 | System Information Discovery | Reaver collects system information from the victim, including CPU speed, computer name, volume serial number, ANSI code page, OEM code page identifier for the OS, Microsoft Windows version, and memory information.1 |
| enterprise | T1016 | System Network Configuration Discovery | Reaver collects the victim’s IP address.1 |
| enterprise | T1033 | System Owner/User Discovery | Reaver collects the victim’s username.1 |