S0354 Denis
Denis is a Windows backdoor and Trojan used by APT32. Denis shares several similarities to the SOUNDBITE backdoor and has been used in conjunction with the Goopy backdoor.1
| Item | Value |
|---|---|
| ID | S0354 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 30 January 2019 |
| Last Modified | 22 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.004 | DNS | Denis has used DNS tunneling for C2 communications.123 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.002 | Archive via Library | Denis compressed collected data using zlib.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Denis has a version written in PowerShell.3 |
| enterprise | T1059.003 | Windows Command Shell | Denis can launch a remote shell to execute arbitrary commands on the victim’s machine.13 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Denis encodes the data sent to the server in Base64.3 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Denis will decrypt important strings used for C&C communication.3 |
| enterprise | T1083 | File and Directory Discovery | Denis has several commands to search directories for files.13 |
| enterprise | T1574 | Hijack Execution Flow | Denis replaces the nonexistent Windows DLL “msfte.dll” with its own malicious version, which is loaded by the SearchIndexer.exe and SearchProtocolHost.exe.3 |
| enterprise | T1574.002 | DLL Side-Loading | Denis exploits a security vulnerability to load a fake DLL and execute its code.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Denis has a command to delete files from the victim’s machine.13 |
| enterprise | T1105 | Ingress Tool Transfer | Denis deploys additional backdoors and hacking tools to the system.3 |
| enterprise | T1106 | Native API | Denis used the IsDebuggerPresent, OutputDebugString, and SetLastError APIs to avoid debugging. Denis used GetProcAddress and LoadLibrary to dynamically resolve APIs. Denis also used the Wow64SetThreadContext API as part of a process hollowing process.3 |
| enterprise | T1027 | Obfuscated Files or Information | Denis obfuscates its code and encrypts the API names.3 |
| enterprise | T1027.010 | Command Obfuscation | Denis has encoded its PowerShell commands in Base64.3 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.012 | Process Hollowing | Denis performed process hollowing through the API calls CreateRemoteThread, ResumeThread, and Wow64SetThreadContext.3 |
| enterprise | T1012 | Query Registry | Denis queries the Registry for keys and values.3 |
| enterprise | T1082 | System Information Discovery | Denis collects OS information and the computer name from the victim’s machine.23 |
| enterprise | T1016 | System Network Configuration Discovery | Denis uses ipconfig to gather the IP address from the system.3 |
| enterprise | T1033 | System Owner/User Discovery | Denis enumerates and collects the username from the victim’s machine.23 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | Denis ran multiple system checks, looking for processor and register characteristics, to evade emulation and analysis.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0050 | APT32 | 13 |
References
-
Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. ↩↩↩↩↩↩↩
-
Shulmin, A., Yunakovsky, S. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved November 5, 2018. ↩↩↩↩
-
Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩