Skip to content

S0516 SoreFang

SoreFang is first stage downloader used by APT29 for exfiltration and to load other malware.12

Item Value
ID S0516
Associated Names
Version 1.0
Created 29 September 2020
Last Modified 06 October 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account SoreFang can collect usernames from the local system via net.exe user.2
enterprise T1087.002 Domain Account SoreFang can enumerate domain accounts via net.exe user /domain.2
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols SoreFang can use HTTP in C2 communications.21
enterprise T1140 Deobfuscate/Decode Files or Information SoreFang can decode and decrypt exfiltrated data sent to C2.2
enterprise T1190 Exploit Public-Facing Application SoreFang can gain access by exploiting a Sangfor SSL VPN vulnerability that allows for the placement and delivery of malicious update binaries.2
enterprise T1083 File and Directory Discovery SoreFang has the ability to list directories.2
enterprise T1105 Ingress Tool Transfer SoreFang can download additional payloads from C2.21
enterprise T1027 Obfuscated Files or Information SoreFang has the ability to encode and RC6 encrypt data sent to C2.2
enterprise T1069 Permission Groups Discovery -
enterprise T1069.002 Domain Groups SoreFang can enumerate domain groups by executing net.exe group /domain.2
enterprise T1057 Process Discovery SoreFang can enumerate processes on a victim machine through use of Tasklist.2
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task SoreFang can gain persistence through use of scheduled tasks.2
enterprise T1082 System Information Discovery SoreFang can collect the hostname, operating system configuration, product ID, and disk space on victim machines by executing Systeminfo.2
enterprise T1016 System Network Configuration Discovery SoreFang can collect the TCP/IP, DNS, DHCP, and network adapter configuration on a compromised host via ipconfig.exe /all.2

Groups That Use This Software

ID Name References
G0016 APT29 12