S0538 Crutch
Crutch is a backdoor designed for document theft that has been used by Turla since at least 2015.1
| Item | Value |
|---|---|
| ID | S0538 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 04 December 2020 |
| Last Modified | 22 December 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Crutch has conducted C2 communications with a Dropbox account using the HTTP API.1 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | Crutch has used the WinRAR utility to compress and encrypt stolen files.1 |
| enterprise | T1119 | Automated Collection | Crutch can automatically monitor removable drives in a loop and copy interesting files.1 |
| enterprise | T1020 | Automated Exfiltration | Crutch has automatically exfiltrated stolen files to Dropbox.1 |
| enterprise | T1005 | Data from Local System | Crutch can exfiltrate files from compromised systems.1 |
| enterprise | T1025 | Data from Removable Media | Crutch can monitor removable drives and exfiltrate files matching a given extension list.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Crutch has staged stolen files in the C:\AMD\Temp directory.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Crutch can exfiltrate data over the primary C2 channel (Dropbox HTTP API).1 |
| enterprise | T1567 | Exfiltration Over Web Service | - |
| enterprise | T1567.002 | Exfiltration to Cloud Storage | Crutch has exfiltrated stolen data to Dropbox.1 |
| enterprise | T1008 | Fallback Channels | Crutch has used a hardcoded GitHub repository as a fallback channel.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL Search Order Hijacking | Crutch can persist via DLL search order hijacking on Google Chrome, Mozilla Firefox, or Microsoft OneDrive.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | Crutch has established persistence with a scheduled task impersonating the Outlook item finder.1 |
| enterprise | T1120 | Peripheral Device Discovery | Crutch can monitor for removable drives being plugged into the compromised machine.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Crutch has the ability to persist using scheduled tasks.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.002 | Bidirectional Communication | Crutch can use Dropbox to receive commands and upload stolen data.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0010 | Turla | 12 |