Skip to content

S0439 Okrum

Okrum is a Windows backdoor that has been seen in use since December 2016 with strong links to Ke3chang.1

Item Value
ID S0439
Associated Names
Version 1.0
Created 06 May 2020
Last Modified 14 May 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation -
enterprise T1134.001 Token Impersonation/Theft Okrum can impersonate a logged-on user’s security context using a call to the ImpersonateLoggedOnUser API.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Okrum uses HTTP for communication with its C2.1
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility Okrum was seen using a RAR archiver tool to compress/decompress data.1
enterprise T1560.003 Archive via Custom Method Okrum has used a custom implementation of AES encryption to encrypt collected data.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Okrum establishes persistence by creating a .lnk shortcut to itself in the Startup folder.1
enterprise T1547.009 Shortcut Modification Okrum can establish persistence by creating a .lnk shortcut to itself in the Startup folder.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Okrum‘s backdoor has used cmd.exe to execute arbitrary commands as well as batch scripts to update itself to a newer version.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service To establish persistence, Okrum can install itself as a new service named NtmSsvc.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Okrum has used base64 to encode C2 communication.1
enterprise T1001 Data Obfuscation -
enterprise T1001.003 Protocol Impersonation Okrum mimics HTTP protocol for C2 communication, while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests.1
enterprise T1140 Deobfuscate/Decode Files or Information Okrum‘s loader can decrypt the backdoor code, embedded within the loader or within a legitimate PNG file. A custom XOR cipher or RC4 is used for decryption.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Okrum uses AES to encrypt network traffic. The key can be hardcoded or negotiated with the C2 server in the registration phase. 1
enterprise T1041 Exfiltration Over C2 Channel Data exfiltration is done by Okrum using the already opened channel with the C2 server.1
enterprise T1083 File and Directory Discovery Okrum has used DriveLetterView to enumerate drive information.1
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories Before exfiltration, Okrum‘s backdoor has used hidden files to store logs and outputs from backdoor commands.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Okrum‘s backdoor deletes files after they have been successfully uploaded to C2 servers.1
enterprise T1105 Ingress Tool Transfer Okrum has built-in commands for uploading, downloading, and executing files to the system.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Okrum was seen using a keylogger tool to capture keystrokes. 1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Okrum can establish persistence by adding a new service NtmsSvc with the display name Removable Storage to masquerade as a legitimate Removable Storage Manager.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.003 Steganography Okrum‘s payload is encrypted and embedded within its loader, or within a legitimate PNG file.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Okrum was seen using MimikatzLite to perform credential dumping.1
enterprise T1003.005 Cached Domain Credentials Okrum was seen using modified Quarks PwDump to perform credential dumping.1
enterprise T1090 Proxy -
enterprise T1090.002 External Proxy Okrum can identify proxy servers configured and used by the victim, and use it to make HTTP requests to C2 its server.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Okrum‘s installer can attempt to achieve persistence by creating a scheduled task.1
enterprise T1082 System Information Discovery Okrum can collect computer name, locale information, and information about the OS and architecture.1
enterprise T1016 System Network Configuration Discovery Okrum can collect network information, including the host IP address, DNS, and proxy information.1
enterprise T1049 System Network Connections Discovery Okrum was seen using NetSess to discover NetBIOS sessions.1
enterprise T1033 System Owner/User Discovery Okrum can collect the victim username.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Okrum‘s loader can create a new service named NtmsSvc to execute the payload.1
enterprise T1124 System Time Discovery Okrum can obtain the date and time of the compromised system.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks Okrum‘s loader can check the amount of physical memory and terminates itself if the host has less than 1.5 Gigabytes of physical memory in total.1
enterprise T1497.002 User Activity Based Checks Okrum loader only executes the payload after the left mouse button has been pressed at least three times, in order to avoid being executed within virtualized or emulated environments.1
enterprise T1497.003 Time Based Evasion Okrum‘s loader can detect presence of an emulator by using two calls to GetTickCount API, and checking whether the time has been accelerated.1

Groups That Use This Software

ID Name References
G0004 Ke3chang 1