S0516 SoreFang
SoreFang is first stage downloader used by APT29 for exfiltration and to load other malware.12
| Item | Value |
|---|---|
| ID | S0516 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 29 September 2020 |
| Last Modified | 06 October 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | SoreFang can collect usernames from the local system via net.exe user.2 |
| enterprise | T1087.002 | Domain Account | SoreFang can enumerate domain accounts via net.exe user /domain.2 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | SoreFang can use HTTP in C2 communications.21 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | SoreFang can decode and decrypt exfiltrated data sent to C2.2 |
| enterprise | T1190 | Exploit Public-Facing Application | SoreFang can gain access by exploiting a Sangfor SSL VPN vulnerability that allows for the placement and delivery of malicious update binaries.2 |
| enterprise | T1083 | File and Directory Discovery | SoreFang has the ability to list directories.2 |
| enterprise | T1105 | Ingress Tool Transfer | SoreFang can download additional payloads from C2.21 |
| enterprise | T1027 | Obfuscated Files or Information | SoreFang has the ability to encode and RC6 encrypt data sent to C2.2 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.002 | Domain Groups | SoreFang can enumerate domain groups by executing net.exe group /domain.2 |
| enterprise | T1057 | Process Discovery | SoreFang can enumerate processes on a victim machine through use of Tasklist.2 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | SoreFang can gain persistence through use of scheduled tasks.2 |
| enterprise | T1082 | System Information Discovery | SoreFang can collect the hostname, operating system configuration, product ID, and disk space on victim machines by executing Systeminfo.2 |
| enterprise | T1016 | System Network Configuration Discovery | SoreFang can collect the TCP/IP, DNS, DHCP, and network adapter configuration on a compromised host via ipconfig.exe /all.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 12 |