| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
Chaes has used HTTP for C2 communications. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
Chaes has added persistence via the Registry key software\microsoft\windows\currentversion\run\microsoft windows html help. |
| enterprise |
T1185 |
Browser Session Hijacking |
Chaes has used the Puppeteer module to hook and monitor the Chrome web browser to collect user information from infected hosts. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
Chaes has used cmd to execute tasks on the system. |
| enterprise |
T1059.005 |
Visual Basic |
Chaes has used VBscript to execute malicious code. |
| enterprise |
T1059.006 |
Python |
Chaes has used Python scripts for execution and the installation of additional files. |
| enterprise |
T1059.007 |
JavaScript |
Chaes has used JavaScript and Node.Js information stealer script that exfiltrates data using the node process. |
| enterprise |
T1555 |
Credentials from Password Stores |
- |
| enterprise |
T1555.003 |
Credentials from Web Browsers |
Chaes can steal login credentials and stored financial information from the browser. |
| enterprise |
T1132 |
Data Encoding |
- |
| enterprise |
T1132.001 |
Standard Encoding |
Chaes has used Base64 to encode C2 communications. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
Chaes has decrypted an AES encrypted binary file to trigger the download of other files. |
| enterprise |
T1573 |
Encrypted Channel |
Chaes has used encryption for its C2 channel. |
| enterprise |
T1048 |
Exfiltration Over Alternative Protocol |
Chaes has exfiltrated its collected data from the infected machine to the C2, sometimes using the MIME protocol. |
| enterprise |
T1574 |
Hijack Execution Flow |
- |
| enterprise |
T1574.001 |
DLL Search Order Hijacking |
Chaes has used search order hijacking to load a malicious DLL. |
| enterprise |
T1105 |
Ingress Tool Transfer |
Chaes can download additional files onto an infected machine. |
| enterprise |
T1056 |
Input Capture |
Chaes has a module to perform any API hooking it desires. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
Chaes has used an unsigned, crafted DLL module named hha.dll that was designed to look like a legitimate 32-bit Windows DLL. |
| enterprise |
T1112 |
Modify Registry |
Chaes can modify Registry values to stored information and establish persistence. |
| enterprise |
T1106 |
Native API |
Chaes used the CreateFileW() API function with read permissions to access downloaded payloads. |
| enterprise |
T1027 |
Obfuscated Files or Information |
- |
| enterprise |
T1027.011 |
Fileless Storage |
Some versions of Chaes stored its instructions (otherwise in a instructions.ini file) in the Registry. |
| enterprise |
T1566 |
Phishing |
- |
| enterprise |
T1566.001 |
Spearphishing Attachment |
Chaes has been delivered by sending victims a phishing email containing a malicious .docx file. |
| enterprise |
T1113 |
Screen Capture |
Chaes can capture screenshots of the infected machine. |
| enterprise |
T1539 |
Steal Web Session Cookie |
Chaes has used a script that extracts the web session cookie and sends it to the C2 server. |
| enterprise |
T1218 |
System Binary Proxy Execution |
- |
| enterprise |
T1218.004 |
InstallUtil |
Chaes has used Installutill to download content. |
| enterprise |
T1218.007 |
Msiexec |
Chaes has used .MSI files as an initial way to start the infection chain. |
| enterprise |
T1082 |
System Information Discovery |
Chaes has collected system information, including the machine name and OS version. |
| enterprise |
T1033 |
System Owner/User Discovery |
Chaes has collected the username and UID from the infected machine. |
| enterprise |
T1221 |
Template Injection |
Chaes changed the template target of the settings.xml file embedded in the Word document and populated that field with the downloaded URL of the next payload. |
| enterprise |
T1204 |
User Execution |
- |
| enterprise |
T1204.002 |
Malicious File |
Chaes requires the user to click on the malicious Word document to execute the next part of the attack. |