Skip to content

S0632 GrimAgent

GrimAgent is a backdoor that has been used before the deployment of Ryuk ransomware since at least 2020; it is likely used by FIN6 and Wizard Spider.1

Item Value
ID S0632
Associated Names
Version 1.1
Created 16 July 2021
Last Modified 29 July 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols GrimAgent has the ability to use HTTP for C2 communications.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder GrimAgent can set persistence with a Registry run key.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell GrimAgent can use the Windows Command Shell to execute commands, including its own removal.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding GrimAgent can base64 encode C2 replies.1
enterprise T1005 Data from Local System GrimAgent can collect data and files from a compromised host.1
enterprise T1001 Data Obfuscation -
enterprise T1001.001 Junk Data GrimAgent can pad C2 messages with random generated values.1
enterprise T1140 Deobfuscate/Decode Files or Information GrimAgent can use a decryption algorithm for strings based on Rotate on Right (RoR) and Rotate on Left (RoL) functionality.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography GrimAgent can use an AES key to encrypt C2 communications.1
enterprise T1573.002 Asymmetric Cryptography GrimAgent can use a hardcoded server public RSA key to encrypt the first request to C2.1
enterprise T1041 Exfiltration Over C2 Channel GrimAgent has sent data related to a compromise host over its C2 channel.1
enterprise T1083 File and Directory Discovery GrimAgent has the ability to enumerate files and directories on a compromised host.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion GrimAgent can delete old binaries on a compromised host.1
enterprise T1070.009 Clear Persistence GrimAgent can delete previously created tasks on a compromised host.1
enterprise T1105 Ingress Tool Transfer GrimAgent has the ability to download and execute additional payloads.1
enterprise T1106 Native API GrimAgent can use Native API including GetProcAddress and ShellExecuteW.1
enterprise T1027 Obfuscated Files or Information GrimAgent has used Rotate on Right (RoR) and Rotate on Left (RoL) functionality to encrypt strings.1
enterprise T1027.001 Binary Padding GrimAgent has the ability to add bytes to change the file hash.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task GrimAgent has the ability to set persistence using the Task Scheduler.1
enterprise T1082 System Information Discovery GrimAgent can collect the OS, and build version on a compromised host.1
enterprise T1614 System Location Discovery GrimAgent can identify the country code on a compromised host.1
enterprise T1614.001 System Language Discovery GrimAgent has used Accept-Language to identify hosts in the United Kingdom, United States, France, and Spain.1
enterprise T1016 System Network Configuration Discovery GrimAgent can enumerate the IP and domain of a target system.1
enterprise T1033 System Owner/User Discovery GrimAgent can identify the user id on a target machine.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Evasion GrimAgent can sleep for 195 - 205 seconds after payload execution and before deleting its task.1

Groups That Use This Software

ID Name References
G0037 FIN6 1
G0102 Wizard Spider 1