| enterprise |
T1134 |
Access Token Manipulation |
- |
| enterprise |
T1134.001 |
Token Impersonation/Theft |
Okrum can impersonate a logged-on user’s security context using a call to the ImpersonateLoggedOnUser API. |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
Okrum uses HTTP for communication with its C2. |
| enterprise |
T1560 |
Archive Collected Data |
- |
| enterprise |
T1560.001 |
Archive via Utility |
Okrum was seen using a RAR archiver tool to compress/decompress data. |
| enterprise |
T1560.003 |
Archive via Custom Method |
Okrum has used a custom implementation of AES encryption to encrypt collected data. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
Okrum establishes persistence by creating a .lnk shortcut to itself in the Startup folder. |
| enterprise |
T1547.009 |
Shortcut Modification |
Okrum can establish persistence by creating a .lnk shortcut to itself in the Startup folder. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
Okrum‘s backdoor has used cmd.exe to execute arbitrary commands as well as batch scripts to update itself to a newer version. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.003 |
Windows Service |
To establish persistence, Okrum can install itself as a new service named NtmSsvc. |
| enterprise |
T1132 |
Data Encoding |
- |
| enterprise |
T1132.001 |
Standard Encoding |
Okrum has used base64 to encode C2 communication. |
| enterprise |
T1001 |
Data Obfuscation |
- |
| enterprise |
T1001.003 |
Protocol Impersonation |
Okrum mimics HTTP protocol for C2 communication, while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
Okrum‘s loader can decrypt the backdoor code, embedded within the loader or within a legitimate PNG file. A custom XOR cipher or RC4 is used for decryption. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.001 |
Symmetric Cryptography |
Okrum uses AES to encrypt network traffic. The key can be hardcoded or negotiated with the C2 server in the registration phase. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
Data exfiltration is done by Okrum using the already opened channel with the C2 server. |
| enterprise |
T1083 |
File and Directory Discovery |
Okrum has used DriveLetterView to enumerate drive information. |
| enterprise |
T1564 |
Hide Artifacts |
- |
| enterprise |
T1564.001 |
Hidden Files and Directories |
Before exfiltration, Okrum‘s backdoor has used hidden files to store logs and outputs from backdoor commands. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
Okrum‘s backdoor deletes files after they have been successfully uploaded to C2 servers. |
| enterprise |
T1105 |
Ingress Tool Transfer |
Okrum has built-in commands for uploading, downloading, and executing files to the system. |
| enterprise |
T1056 |
Input Capture |
- |
| enterprise |
T1056.001 |
Keylogging |
Okrum was seen using a keylogger tool to capture keystrokes. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.004 |
Masquerade Task or Service |
Okrum can establish persistence by adding a new service NtmsSvc with the display name Removable Storage to masquerade as a legitimate Removable Storage Manager. |
| enterprise |
T1027 |
Obfuscated Files or Information |
- |
| enterprise |
T1027.003 |
Steganography |
Okrum‘s payload is encrypted and embedded within its loader, or within a legitimate PNG file. |
| enterprise |
T1003 |
OS Credential Dumping |
- |
| enterprise |
T1003.001 |
LSASS Memory |
Okrum was seen using MimikatzLite to perform credential dumping. |
| enterprise |
T1003.005 |
Cached Domain Credentials |
Okrum was seen using modified Quarks PwDump to perform credential dumping. |
| enterprise |
T1090 |
Proxy |
- |
| enterprise |
T1090.002 |
External Proxy |
Okrum can identify proxy servers configured and used by the victim, and use it to make HTTP requests to C2 its server. |
| enterprise |
T1053 |
Scheduled Task/Job |
- |
| enterprise |
T1053.005 |
Scheduled Task |
Okrum‘s installer can attempt to achieve persistence by creating a scheduled task. |
| enterprise |
T1082 |
System Information Discovery |
Okrum can collect computer name, locale information, and information about the OS and architecture. |
| enterprise |
T1016 |
System Network Configuration Discovery |
Okrum can collect network information, including the host IP address, DNS, and proxy information. |
| enterprise |
T1049 |
System Network Connections Discovery |
Okrum was seen using NetSess to discover NetBIOS sessions. |
| enterprise |
T1033 |
System Owner/User Discovery |
Okrum can collect the victim username. |
| enterprise |
T1569 |
System Services |
- |
| enterprise |
T1569.002 |
Service Execution |
Okrum‘s loader can create a new service named NtmsSvc to execute the payload. |
| enterprise |
T1124 |
System Time Discovery |
Okrum can obtain the date and time of the compromised system. |
| enterprise |
T1497 |
Virtualization/Sandbox Evasion |
- |
| enterprise |
T1497.001 |
System Checks |
Okrum‘s loader can check the amount of physical memory and terminates itself if the host has less than 1.5 Gigabytes of physical memory in total. |
| enterprise |
T1497.002 |
User Activity Based Checks |
Okrum loader only executes the payload after the left mouse button has been pressed at least three times, in order to avoid being executed within virtualized or emulated environments. |
| enterprise |
T1497.003 |
Time Based Evasion |
Okrum‘s loader can detect presence of an emulator by using two calls to GetTickCount API, and checking whether the time has been accelerated. |