Skip to content

S0547 DropBook

DropBook is a Python-based backdoor compiled with PyInstaller.1

Item Value
ID S0547
Associated Names
Type MALWARE
Version 1.1
Created 22 December 2020
Last Modified 18 August 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell DropBook can execute arbitrary shell commands on the victims’ machines.12
enterprise T1059.006 Python DropBook is a Python-based backdoor compiled with PyInstaller.1
enterprise T1140 Deobfuscate/Decode Files or Information DropBook can unarchive data downloaded from the C2 to obtain the payload and persistence modules.1
enterprise T1567 Exfiltration Over Web Service DropBook has used legitimate web services to exfiltrate data.2
enterprise T1083 File and Directory Discovery DropBook can collect the names of all files and folders in the Program Files directories.12
enterprise T1105 Ingress Tool Transfer DropBook can download and execute additional files.12
enterprise T1082 System Information Discovery DropBook has checked for the presence of Arabic language in the infected machine’s settings.1
enterprise T1614 System Location Discovery -
enterprise T1614.001 System Language Discovery DropBook has checked for the presence of Arabic language in the infected machine’s settings.2
enterprise T1102 Web Service DropBook can communicate with its operators by exploiting the Simplenote, DropBox, and the social media platform, Facebook, where it can create fake accounts to control the backdoor and receive instructions.12

Groups That Use This Software

ID Name References
G0021 Molerats 1

References

  1. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. 

  2. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.