Skip to content

S0445 ShimRatReporter

ShimRatReporter is a tool used by suspected Chinese adversary Mofang to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as ShimRat) as well as set up faux infrastructure which mimics the adversary’s targets. ShimRatReporter has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.1

Item Value
ID S0445
Associated Names
Version 1.0
Created 12 May 2020
Last Modified 27 May 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery ShimRatReporter listed all non-privileged and privileged accounts available on the machine.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols ShimRatReporter communicated over HTTP with preconfigured C2 servers.1
enterprise T1560 Archive Collected Data ShimRatReporter used LZ compression to compress initial reconnaissance reports before sending to the C2.1
enterprise T1119 Automated Collection ShimRatReporter gathered information automatically, without instruction from a C2, related to the user and host machine that is compiled into a report and sent to the operators.1
enterprise T1020 Automated Exfiltration ShimRatReporter sent collected system and network information compiled into a report to an adversary-controlled C2.1
enterprise T1041 Exfiltration Over C2 Channel ShimRatReporter sent generated reports to the C2 via HTTP POST requests.1
enterprise T1105 Ingress Tool Transfer ShimRatReporter had the ability to download additional payloads.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location ShimRatReporter spoofed itself as AlphaZawgyl_font.exe, a specialized Unicode font.1
enterprise T1106 Native API ShimRatReporter used several Windows API functions to gather information from the infected system.1
enterprise T1027 Obfuscated Files or Information ShimRatReporter encrypted gathered information with a combination of shifting and XOR using a static key.1
enterprise T1069 Permission Groups Discovery ShimRatReporter gathered the local privileges for the infected host.1
enterprise T1057 Process Discovery ShimRatReporter listed all running processes on the machine.1
enterprise T1518 Software Discovery ShimRatReporter gathered a list of installed software on the infected host.1
enterprise T1082 System Information Discovery ShimRatReporter gathered the operating system name and specific Windows version of an infected machine.1
enterprise T1016 System Network Configuration Discovery ShimRatReporter gathered the local proxy, domain, IP, routing tables, mac address, gateway, DNS servers, and DHCP status information from an infected host.1
enterprise T1049 System Network Connections Discovery ShimRatReporter used the Windows function GetExtendedUdpTable to detect connected UDP endpoints.1

Groups That Use This Software

ID Name References
G0103 Mofang -