Skip to content

S0444 ShimRat

ShimRat has been used by the suspected China-based adversary Mofang in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name “ShimRat” comes from the malware’s extensive use of Windows Application Shimming to maintain persistence. 1

Item Value
ID S0444
Associated Names
Version 1.0
Created 12 May 2020
Last Modified 29 May 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control ShimRat has hijacked the cryptbase.dll within migwiz.exe to escalate privileges. This prevented the User Access Control window from appearing.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols ShimRat communicated over HTTP and HTTPS with C2 servers.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder ShimRat has installed a registry based start-up key HKCU\Software\microsoft\windows\CurrentVersion\Run to maintain persistence should other methods fail.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell ShimRat can be issued a command shell function from the C2.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service ShimRat has installed a Windows service to maintain persistence on victim machines.1
enterprise T1005 Data from Local System ShimRat has the capability to upload collected files to a C2.1
enterprise T1140 Deobfuscate/Decode Files or Information ShimRat has decompressed its core DLL using shellcode once an impersonated antivirus component was running on a system.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.011 Application Shimming ShimRat has installed shim databases in the AppPatch folder.1
enterprise T1008 Fallback Channels ShimRat has used a secondary C2 location if the first was unavailable.1
enterprise T1083 File and Directory Discovery ShimRat can list directories.1
enterprise T1574 Hijack Execution Flow ShimRat can hijack the cryptbase.dll within migwiz.exe to escalate privileges and bypass UAC controls.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion ShimRat can uninstall itself from compromised hosts, as well create and modify directories, delete, move, copy, and rename files.1
enterprise T1105 Ingress Tool Transfer ShimRat can download additional files.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service ShimRat can impersonate Windows services and antivirus products to avoid detection on compromised systems.1
enterprise T1112 Modify Registry ShimRat has registered two registry keys for shim databases.1
enterprise T1106 Native API ShimRat has used Windows API functions to install the service and shim.1
enterprise T1135 Network Share Discovery ShimRat can enumerate connected drives for infected host machines.1
enterprise T1027 Obfuscated Files or Information ShimRat has been delivered as a package that includes compressed DLL and shellcode payloads within a .dat file.1
enterprise T1027.002 Software Packing ShimRat‘s loader has been packed with the compressed ShimRat core DLL and the legitimate DLL for it to hijack.1
enterprise T1090 Proxy -
enterprise T1090.002 External Proxy ShimRat can use pre-configured HTTP proxies.1
enterprise T1029 Scheduled Transfer ShimRat can sleep when instructed to do so by the C2.1

Groups That Use This Software

ID Name References
G0103 Mofang -