Skip to content

S0585 Kerrdown

Kerrdown is a custom downloader that has been used by APT32 since at least 2018 to install spyware from a server on the victim’s network.12

Item Value
ID S0585
Associated Names
Type MALWARE
Version 2.0
Created 02 March 2021
Last Modified 15 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.005 Visual Basic Kerrdown can use a VBS base64 decoder function published by Motobit.2
enterprise T1140 Deobfuscate/Decode Files or Information Kerrdown can decode, decrypt, and decompress multiple layers of shellcode.2
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading Kerrdown can use DLL side-loading to load malicious DLLs.2
enterprise T1105 Ingress Tool Transfer Kerrdown can download specific payloads to a compromised host based on OS architecture.2
enterprise T1027 Obfuscated Files or Information Kerrdown can encrypt, encode, and compress multiple layers of shellcode.2
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Kerrdown has been distributed through malicious e-mail attachments.1
enterprise T1566.002 Spearphishing Link Kerrdown has been distributed via e-mails containing a malicious link.1
enterprise T1082 System Information Discovery Kerrdown has the ability to determine if the compromised host is running a 32 or 64 bit OS architecture.2
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Kerrdown has gained execution through victims opening malicious links.1
enterprise T1204.002 Malicious File Kerrdown has gained execution through victims opening malicious files.12

Groups That Use This Software

ID Name References
G0050 APT32 12

References