Skip to content

S0244 Comnie

Comnie is a remote backdoor which has been used in attacks in East Asia. 1

Item Value
ID S0244
Associated Names
Version 1.1
Created 17 October 2018
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Comnie uses the net user command.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Comnie uses HTTP for C2 communication.1
enterprise T1119 Automated Collection Comnie executes a batch script to store discovery information in %TEMP%\info.dat and then uploads the temporarily file to the remote C2 server.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Comnie achieves persistence by adding a shortcut of itself to the startup path in the Registry.1
enterprise T1547.009 Shortcut Modification Comnie establishes persistence via a .lnk file in the victim’s startup path.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Comnie executes BAT scripts.1
enterprise T1059.005 Visual Basic Comnie executes VBS scripts.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Comnie encrypts command and control communications with RC4.1
enterprise T1027 Obfuscated Files or Information Comnie uses RC4 and Base64 to obfuscate strings.1
enterprise T1027.001 Binary Padding Comnie appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk.1
enterprise T1057 Process Discovery Comnie uses the tasklist to view running processes on the victim’s machine.1
enterprise T1018 Remote System Discovery Comnie runs the net view command
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Comnie attempts to detect several anti-virus products.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 Comnie uses Rundll32 to load a malicious DLL.1
enterprise T1082 System Information Discovery Comnie collects the hostname of the victim machine.1
enterprise T1016 System Network Configuration Discovery Comnie uses ipconfig /all and route PRINT to identify network adapter and interface information.1
enterprise T1049 System Network Connections Discovery Comnie executes the netstat -ano command.1
enterprise T1007 System Service Discovery Comnie runs the command: net start >> %TEMP%\info.dat on a victim.1
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication Comnie uses blogs and third-party sites (GitHub, tumbler, and BlogSpot) to avoid DNS-based blocking of their communication to the command and control server.1


Back to top