S0176 Wingbird
Wingbird is a backdoor that appears to be a version of commercial software FinFisher. It is reportedly used to attack individual computers instead of networks. It was used by NEODYMIUM in a May 2016 campaign. 1 2
| Item | Value |
|---|---|
| ID | S0176 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 16 January 2018 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.008 | LSASS Driver | Wingbird drops a malicious file (sspisrv.dll) alongside a copy of lsass.exe, which is used to register a service that loads sspisrv.dll as a driver. The payload of the malicious driver (located in its entry-point function) is executed when loaded by lsass.exe before the spoofed service becomes unstable and crashes.13 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Wingbird uses services.exe to register a new autostart service named “Audit Service” using a copy of the local lsass.exe file.13 |
| enterprise | T1068 | Exploitation for Privilege Escalation | Wingbird exploits CVE-2016-4117 to allow an executable to gain escalated privileges.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.002 | DLL Side-Loading | Wingbird side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service.13 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Wingbird deletes its payload along with the payload’s parent process after it finishes copying files.1 |
| enterprise | T1055 | Process Injection | Wingbird performs multiple process injections to hijack system processes and execute malicious code.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Wingbird checks for the presence of Bitdefender security software.1 |
| enterprise | T1082 | System Information Discovery | Wingbird checks the victim OS version after executing to determine where to drop files based on whether the victim is 32-bit or 64-bit.1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | Wingbird uses services.exe to register a new autostart service named “Audit Service” using a copy of the local lsass.exe file.13 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0055 | NEODYMIUM | 21 |
References
-
Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017. ↩↩↩↩↩↩↩↩↩↩↩
-
Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017. ↩↩
-
Microsoft. (2017, November 9). Backdoor:Win32/Wingbird.A!dha. Retrieved November 27, 2017. ↩↩↩↩