S0445 ShimRatReporter
ShimRatReporter is a tool used by suspected Chinese adversary Mofang to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as ShimRat) as well as set up faux infrastructure which mimics the adversary’s targets. ShimRatReporter has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.
Techniques Used
| Domain |
ID |
Name |
Use |
| enterprise |
T1087 |
Account Discovery |
ShimRatReporter listed all non-privileged and privileged accounts available on the machine. |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
ShimRatReporter communicated over HTTP with preconfigured C2 servers. |
| enterprise |
T1560 |
Archive Collected Data |
ShimRatReporter used LZ compression to compress initial reconnaissance reports before sending to the C2. |
| enterprise |
T1119 |
Automated Collection |
ShimRatReporter gathered information automatically, without instruction from a C2, related to the user and host machine that is compiled into a report and sent to the operators. |
| enterprise |
T1020 |
Automated Exfiltration |
ShimRatReporter sent collected system and network information compiled into a report to an adversary-controlled C2. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
ShimRatReporter sent generated reports to the C2 via HTTP POST requests. |
| enterprise |
T1105 |
Ingress Tool Transfer |
ShimRatReporter had the ability to download additional payloads. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
ShimRatReporter spoofed itself as AlphaZawgyl_font.exe, a specialized Unicode font. |
| enterprise |
T1106 |
Native API |
ShimRatReporter used several Windows API functions to gather information from the infected system. |
| enterprise |
T1027 |
Obfuscated Files or Information |
ShimRatReporter encrypted gathered information with a combination of shifting and XOR using a static key. |
| enterprise |
T1069 |
Permission Groups Discovery |
ShimRatReporter gathered the local privileges for the infected host. |
| enterprise |
T1057 |
Process Discovery |
ShimRatReporter listed all running processes on the machine. |
| enterprise |
T1518 |
Software Discovery |
ShimRatReporter gathered a list of installed software on the infected host. |
| enterprise |
T1082 |
System Information Discovery |
ShimRatReporter gathered the operating system name and specific Windows version of an infected machine. |
| enterprise |
T1016 |
System Network Configuration Discovery |
ShimRatReporter gathered the local proxy, domain, IP, routing tables, mac address, gateway, DNS servers, and DHCP status information from an infected host. |
| enterprise |
T1049 |
System Network Connections Discovery |
ShimRatReporter used the Windows function GetExtendedUdpTable to detect connected UDP endpoints. |
Groups That Use This Software
References