S0475 BackConfig
BackConfig is a custom Trojan with a flexible plugin architecture that has been used by Patchwork.1
| Item | Value |
|---|---|
| ID | S0475 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 17 June 2020 |
| Last Modified | 22 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | BackConfig has the ability to use HTTPS for C2 communiations.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | BackConfig can download and run batch files to execute commands on a compromised host.1 |
| enterprise | T1059.005 | Visual Basic | BackConfig has used VBS to install its downloader component and malicious documents with VBA macro code.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | BackConfig has used a custom routine to decrypt strings.1 |
| enterprise | T1083 | File and Directory Discovery | BackConfig has the ability to identify folders and files related to previous infections.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | BackConfig has the ability to set folders or files to be hidden from the Windows Explorer default view.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | BackConfig has the ability to remove files and folders related to previous infections.1 |
| enterprise | T1105 | Ingress Tool Transfer | BackConfig can download and execute additional payloads on a compromised host.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | BackConfig has hidden malicious payloads in %USERPROFILE%\Adobe\Driver\dwg\ and mimicked the legitimate DHCP service binary.1 |
| enterprise | T1106 | Native API | BackConfig can leverage API functions such as ShellExecuteA and HttpOpenRequestA in the process of downloading and executing files.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.010 | Command Obfuscation | BackConfig has used compressed and decimal encoded VBS scripts.1 |
| enterprise | T1137 | Office Application Startup | - |
| enterprise | T1137.001 | Office Template Macros | BackConfig has the ability to use hidden columns in Excel spreadsheets to store executable files or commands for VBA macros.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | BackConfig has the ability to use scheduled tasks to repeatedly execute malicious payloads on a compromised host.1 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | BackConfig has been signed with self signed digital certificates mimicking a legitimate software company.1 |
| enterprise | T1082 | System Information Discovery | BackConfig has the ability to gather the victim’s computer name.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | BackConfig has compromised victims via links to URLs hosting malicious content.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0040 | Patchwork | 1 |