S0610 SideTwist
SideTwist is a C-based backdoor that has been used by OilRig since at least 2021.1
| Item | Value |
|---|---|
| ID | S0610 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 06 May 2021 |
| Last Modified | 13 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | SideTwist has used HTTP GET and POST requests over port 443 for C2.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | SideTwist can execute shell commands on a compromised host.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | SideTwist has used Base64 for encoded C2 traffic.1 |
| enterprise | T1005 | Data from Local System | SideTwist has the ability to upload files from a compromised host.1 |
| enterprise | T1001 | Data Obfuscation | SideTwist can embed C2 responses in the source code of a fake Flickr webpage.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | SideTwist can decode and decrypt messages received from C2.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | SideTwist can encrypt C2 communications with a randomly generated key.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | SideTwist has exfiltrated data over its C2 channel.1 |
| enterprise | T1008 | Fallback Channels | SideTwist has primarily used port 443 for C2 but can use port 80 as a fallback.1 |
| enterprise | T1083 | File and Directory Discovery | SideTwist has the ability to search for specific files.1 |
| enterprise | T1105 | Ingress Tool Transfer | SideTwist has the ability to download additional files.1 |
| enterprise | T1106 | Native API | SideTwist can use GetUserNameW, GetComputerNameW, and GetComputerNameExW to gather information.1 |
| enterprise | T1082 | System Information Discovery | SideTwist can collect the computer name of a targeted system.1 |
| enterprise | T1016 | System Network Configuration Discovery | SideTwist has the ability to collect the domain name on a compromised host.1 |
| enterprise | T1033 | System Owner/User Discovery | SideTwist can collect the username on a targeted system.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0049 | OilRig | 1 |