Skip to content

S0610 SideTwist

SideTwist is a C-based backdoor that has been used by OilRig since at least 2021.1

Item Value
ID S0610
Associated Names
Version 1.0
Created 06 May 2021
Last Modified 13 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols SideTwist has used HTTP GET and POST requests over port 443 for C2.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell SideTwist can execute shell commands on a compromised host.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding SideTwist has used Base64 for encoded C2 traffic.1
enterprise T1005 Data from Local System SideTwist has the ability to upload files from a compromised host.1
enterprise T1001 Data Obfuscation SideTwist can embed C2 responses in the source code of a fake Flickr webpage.1
enterprise T1140 Deobfuscate/Decode Files or Information SideTwist can decode and decrypt messages received from C2.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography SideTwist can encrypt C2 communications with a randomly generated key.1
enterprise T1041 Exfiltration Over C2 Channel SideTwist has exfiltrated data over its C2 channel.1
enterprise T1008 Fallback Channels SideTwist has primarily used port 443 for C2 but can use port 80 as a fallback.1
enterprise T1083 File and Directory Discovery SideTwist has the ability to search for specific files.1
enterprise T1105 Ingress Tool Transfer SideTwist has the ability to download additional files.1
enterprise T1106 Native API SideTwist can use GetUserNameW, GetComputerNameW, and GetComputerNameExW to gather information.1
enterprise T1082 System Information Discovery SideTwist can collect the computer name of a targeted system.1
enterprise T1016 System Network Configuration Discovery SideTwist has the ability to collect the domain name on a compromised host.1
enterprise T1033 System Owner/User Discovery SideTwist can collect the username on a targeted system.1

Groups That Use This Software

ID Name References
G0049 OilRig 1