Skip to content

S0538 Crutch

Crutch is a backdoor designed for document theft that has been used by Turla since at least 2015.1

Item Value
ID S0538
Associated Names
Version 1.0
Created 04 December 2020
Last Modified 22 December 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Crutch has conducted C2 communications with a Dropbox account using the HTTP API.1
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility Crutch has used the WinRAR utility to compress and encrypt stolen files.1
enterprise T1119 Automated Collection Crutch can automatically monitor removable drives in a loop and copy interesting files.1
enterprise T1020 Automated Exfiltration Crutch has automatically exfiltrated stolen files to Dropbox.1
enterprise T1005 Data from Local System Crutch can exfiltrate files from compromised systems.1
enterprise T1025 Data from Removable Media Crutch can monitor removable drives and exfiltrate files matching a given extension list.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Crutch has staged stolen files in the C:\AMD\Temp directory.1
enterprise T1041 Exfiltration Over C2 Channel Crutch can exfiltrate data over the primary C2 channel (Dropbox HTTP API).1
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage Crutch has exfiltrated stolen data to Dropbox.1
enterprise T1008 Fallback Channels Crutch has used a hardcoded GitHub repository as a fallback channel.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking Crutch can persist via DLL search order hijacking on Google Chrome, Mozilla Firefox, or Microsoft OneDrive.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Crutch has established persistence with a scheduled task impersonating the Outlook item finder.1
enterprise T1120 Peripheral Device Discovery Crutch can monitor for removable drives being plugged into the compromised machine.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Crutch has the ability to persist using scheduled tasks.1
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication Crutch can use Dropbox to receive commands and upload stolen data.1

Groups That Use This Software

ID Name References
G0010 Turla 12