S0391 HAWKBALL
HAWKBALL is a backdoor that was observed in targeting of the government sector in Central Asia.1
| Item | Value |
|---|---|
| ID | S0391 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 20 June 2019 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | HAWKBALL has used HTTP to communicate with a single hard-coded C2 server.1 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.003 | Archive via Custom Method | HAWKBALL has encrypted data with XOR before sending it over the C2 channel.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | HAWKBALL has created a cmd.exe reverse shell, executed commands, and uploaded output via the command line.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | HAWKBALL has sent system information and files over the C2 channel.1 |
| enterprise | T1203 | Exploitation for Client Execution | HAWKBALL has exploited Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802 to deliver the payload.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | HAWKBALL has the ability to delete files.1 |
| enterprise | T1559 | Inter-Process Communication | - |
| enterprise | T1559.002 | Dynamic Data Exchange | HAWKBALL has used an OLE object that uses Equation Editor to drop the embedded shellcode.1 |
| enterprise | T1106 | Native API | HAWKBALL has leveraged several Windows API calls to create processes, gather disk information, and detect debugger activity.1 |
| enterprise | T1027 | Obfuscated Files or Information | HAWKBALL has encrypted the payload with an XOR-based algorithm.1 |
| enterprise | T1082 | System Information Discovery | HAWKBALL can collect the OS version, architecture information, and computer name.1 |
| enterprise | T1033 | System Owner/User Discovery | HAWKBALL can collect the user name of the system.1 |