S0585 Kerrdown
Kerrdown is a custom downloader that has been used by APT32 since at least 2018 to install spyware from a server on the victim’s network.12
| Item | Value |
|---|---|
| ID | S0585 |
| Associated Names | |
| Type | MALWARE |
| Version | 2.0 |
| Created | 02 March 2021 |
| Last Modified | 15 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.005 | Visual Basic | Kerrdown can use a VBS base64 decoder function published by Motobit.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Kerrdown can decode, decrypt, and decompress multiple layers of shellcode.2 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.002 | DLL Side-Loading | Kerrdown can use DLL side-loading to load malicious DLLs.2 |
| enterprise | T1105 | Ingress Tool Transfer | Kerrdown can download specific payloads to a compromised host based on OS architecture.2 |
| enterprise | T1027 | Obfuscated Files or Information | Kerrdown can encrypt, encode, and compress multiple layers of shellcode.2 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Kerrdown has been distributed through malicious e-mail attachments.1 |
| enterprise | T1566.002 | Spearphishing Link | Kerrdown has been distributed via e-mails containing a malicious link.1 |
| enterprise | T1082 | System Information Discovery | Kerrdown has the ability to determine if the compromised host is running a 32 or 64 bit OS architecture.2 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | Kerrdown has gained execution through victims opening malicious links.1 |
| enterprise | T1204.002 | Malicious File | Kerrdown has gained execution through victims opening malicious files.12 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0050 | APT32 | 12 |