Skip to content

S0630 Nebulae

Nebulae Is a backdoor that has been used by Naikon since at least 2020.1

Item Value
ID S0630
Associated Names
Version 1.0
Created 30 June 2021
Last Modified 15 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Nebulae can achieve persistence through a Registry Run key.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Nebulae can use CMD to execute a process.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Nebulae can create a service to establish persistence.1
enterprise T1005 Data from Local System Nebulae has the capability to upload collected files to C2.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Nebulae can use RC4 and XOR to encrypt C2 communications.1
enterprise T1083 File and Directory Discovery Nebulae can list files and directories on a compromised host.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading Nebulae can use DLL side-loading to gain execution.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Nebulae has the ability to delete files and directories.1
enterprise T1105 Ingress Tool Transfer Nebulae can download files from C2.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Nebulae has created a service named “Windows Update Agent1” to appear legitimate.1
enterprise T1036.005 Match Legitimate Name or Location Nebulae uses functions named StartUserModeBrowserInjection and StopUserModeBrowserInjection indicating that it’s trying to imitate chrome_frame_helper.dll.1
enterprise T1106 Native API Nebulae has the ability to use CreateProcess to execute a process.1
enterprise T1095 Non-Application Layer Protocol Nebulae can use TCP in C2 communications.1
enterprise T1057 Process Discovery Nebulae can enumerate processes on a target system.1
enterprise T1082 System Information Discovery Nebulae can discover logical drive information including the drive type, free space, and volume information.1

Groups That Use This Software

ID Name References
G0019 Naikon 1