Skip to content

S0569 Explosive

Explosive is a custom-made remote access tool used by the group Volatile Cedar. It was first identified in the wild in 2015.12

Item Value
ID S0569
Associated Names
Version 1.0
Created 08 February 2021
Last Modified 27 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Explosive has used HTTP for communication.1
enterprise T1115 Clipboard Data Explosive has a function to use the OpenClipboard wrapper.1
enterprise T1025 Data from Removable Media Explosive can scan all .exe files located in the USB drive.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Explosive has encrypted communications with the RC4 method.2
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories Explosive has commonly set file and path attributes to hidden.1
enterprise T1105 Ingress Tool Transfer Explosive has a function to download a file to the infected system.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Explosive has leveraged its keylogging capabilities to gain access to administrator accounts on target servers.12
enterprise T1112 Modify Registry Explosive has a function to write itself to Registry values.1
enterprise T1106 Native API Explosive has a function to call the OpenClipboard wrapper.1
enterprise T1082 System Information Discovery Explosive has collected the computer name from the infected host.1
enterprise T1016 System Network Configuration Discovery Explosive has collected the MAC address from the victim’s machine.1
enterprise T1033 System Owner/User Discovery Explosive has collected the username from the infected host.1

Groups That Use This Software

ID Name References
G0123 Volatile Cedar 12