S0343 Exaramel for Windows
Exaramel for Windows is a backdoor used for targeting Windows systems. The Linux version is tracked separately under Exaramel for Linux.1
| Item | Value |
|---|---|
| ID | S0343 |
| Associated Names | |
| Type | MALWARE |
| Version | 2.2 |
| Created | 30 January 2019 |
| Last Modified | 26 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1560 | Archive Collected Data | Exaramel for Windows automatically encrypts files before sending them to the C2 server.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Exaramel for Windows has a command to launch a remote shell and executes commands on the victim’s machine.1 |
| enterprise | T1059.005 | Visual Basic | Exaramel for Windows has a command to execute VBS scripts on the victim’s machine.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description “Windows Check AV.”1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Exaramel for Windows specifies a path to store files scheduled for exfiltration.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description “Windows Check AV” in an apparent attempt to masquerade as a legitimate service.1 |
| enterprise | T1112 | Modify Registry | Exaramel for Windows adds the configuration to the Registry in XML format.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.011 | Fileless Storage | Exaramel for Windows stores the backdoor’s configuration in the Registry in XML format.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0034 | Sandworm Team | 1 |