S0636 VaporRage
VaporRage is a shellcode downloader that has been used by APT29 since at least 2021.1
| Item | Value |
|---|---|
| ID | S0636 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 04 August 2021 |
| Last Modified | 04 August 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | VaporRage can use HTTP to download shellcode from compromised websites.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | VaporRage can deobfuscate XOR-encoded shellcode prior to execution.1 |
| enterprise | T1480 | Execution Guardrails | VaporRage has the ability to check for the presence of a specific DLL and terminate if it is not found.1 |
| enterprise | T1105 | Ingress Tool Transfer | VaporRage has the ability to download malicious shellcode to compromised systems.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 1 |