S0642 BADFLICK
BADFLICK is a backdoor used by Leviathan in spearphishing campaigns first reported in 2018 that targeted the U.S. engineering and maritime industries.12
| Item | Value |
|---|---|
| ID | S0642 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 26 August 2021 |
| Last Modified | 15 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.002 | Archive via Library | BADFLICK has compressed data using the aPLib compression library.2 |
| enterprise | T1005 | Data from Local System | BADFLICK has uploaded files from victims’ machines.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | BADFLICK can decode shellcode using a custom rotating XOR cipher.2 |
| enterprise | T1083 | File and Directory Discovery | BADFLICK has searched for files on the infected host.2 |
| enterprise | T1105 | Ingress Tool Transfer | BADFLICK has download files from its C2 server.2 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | BADFLICK has been distributed via spearphishing campaigns containing malicious Microsoft Word documents.2 |
| enterprise | T1082 | System Information Discovery | BADFLICK has captured victim computer name, memory space, and CPU details.2 |
| enterprise | T1016 | System Network Configuration Discovery | BADFLICK has captured victim IP address details.2 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | BADFLICK has relied upon users clicking on a malicious attachment delivered through spearphishing.2 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.003 | Time Based Evasion | BADFLICK has delayed communication to the actor-controlled IP address by 5 minutes.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0065 | Leviathan | 12 |