S0275 UPPERCUT

UPPERCUT is a backdoor that has been used by menuPass. ¹

Associated Software Descriptions

Name	Description
ANEL	¹

Domain	ID	Name	Use
enterprise	T1071	Application Layer Protocol	-
enterprise	T1071.001	Web Protocols	UPPERCUT has used HTTP for C2, including sending error codes in Cookie headers.¹
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.003	Windows Command Shell	UPPERCUT uses cmd.exe to execute commands on the victim’s machine.¹
enterprise	T1573	Encrypted Channel	-
enterprise	T1573.001	Symmetric Cryptography	Some versions of UPPERCUT have used the hard-coded string “this is the encrypt key” for Blowfish encryption when communicating with a C2. Later versions have hard-coded keys uniquely for each C2 address.¹
enterprise	T1083	File and Directory Discovery	UPPERCUT has the capability to gather the victim’s current directory.¹
enterprise	T1105	Ingress Tool Transfer	UPPERCUT can download and upload files to and from the victim’s machine.¹
enterprise	T1113	Screen Capture	UPPERCUT can capture desktop screenshots in the PNG format and send them to the C2 server.¹
enterprise	T1082	System Information Discovery	UPPERCUT has the capability to gather the system’s hostname and OS version.¹
enterprise	T1016	System Network Configuration Discovery	UPPERCUT has the capability to gather the victim’s proxy information.¹
enterprise	T1033	System Owner/User Discovery	UPPERCUT has the capability to collect the current logged on user’s username from a machine.¹
enterprise	T1124	System Time Discovery	UPPERCUT has the capability to obtain the time zone information and current timestamp of the victim’s machine.¹

ID	Name	References
G0045	menuPass	¹