Skip to content

S0456 Aria-body

Aria-body is a custom backdoor that has been used by Naikon since approximately 2017.1

Item Value
ID S0456
Associated Names
Type MALWARE
Version 1.1
Created 26 May 2020
Last Modified 19 August 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation -
enterprise T1134.001 Token Impersonation/Theft Aria-body has the ability to duplicate a token from ntprint.exe.1
enterprise T1134.002 Create Process with Token Aria-body has the ability to execute a process using runas.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Aria-body has used HTTP in C2 communications.1
enterprise T1010 Application Window Discovery Aria-body has the ability to identify the titles of running windows on a compromised host.1
enterprise T1560 Archive Collected Data Aria-body has used ZIP to compress data gathered on a compromised host.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Aria-body has established persistence via the Startup folder or Run Registry key.1
enterprise T1025 Data from Removable Media Aria-body has the ability to collect data from USB devices.1
enterprise T1140 Deobfuscate/Decode Files or Information Aria-body has the ability to decrypt the loader configuration and payload DLL.1
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms Aria-body has the ability to use a DGA for C2 communications.1
enterprise T1083 File and Directory Discovery Aria-body has the ability to gather metadata from a file and to search for file and directory names.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Aria-body has the ability to delete files and directories on compromised hosts.1
enterprise T1105 Ingress Tool Transfer Aria-body has the ability to download additional payloads from C2.1
enterprise T1106 Native API Aria-body has the ability to launch files using ShellExecute.1
enterprise T1095 Non-Application Layer Protocol Aria-body has used TCP in C2 communications.1
enterprise T1027 Obfuscated Files or Information Aria-body has used an encrypted configuration file for its loader.1
enterprise T1057 Process Discovery Aria-body has the ability to enumerate loaded modules for a process.1.
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Aria-body has the ability to inject itself into another process such as rundll32.exe and dllhost.exe.1
enterprise T1090 Proxy Aria-body has the ability to use a reverse SOCKS proxy module.1
enterprise T1113 Screen Capture Aria-body has the ability to capture screenshots on compromised hosts.1
enterprise T1082 System Information Discovery Aria-body has the ability to identify the hostname, computer name, Windows version, processor speed, machine GUID, and disk information on a compromised host.1
enterprise T1016 System Network Configuration Discovery Aria-body has the ability to identify the location, public IP address, and domain name on a compromised host.1
enterprise T1049 System Network Connections Discovery Aria-body has the ability to gather TCP and UDP table status listings.1
enterprise T1033 System Owner/User Discovery Aria-body has the ability to identify the username on a compromised host.1

Groups That Use This Software

ID Name References
G0019 Naikon 12

References