S0663 SysUpdate
SysUpdate is a backdoor written in C++ that has been used by Threat Group-3390 since at least 2020.1
| Item | Value |
|---|---|
| ID | S0663 |
| Associated Names | HyperSSL, Soldier, FOCUSFJORD |
| Type | MALWARE |
| Version | 1.0 |
| Created | 29 November 2021 |
| Last Modified | 15 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| HyperSSL | 1 |
| Soldier | 1 |
| FOCUSFJORD | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | SysUpdate can use a Registry Run key to establish persistence.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | SysUpdate can create a service to establish persistence.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | SysUpdate can deobfuscate packed binaries in memory.1 |
| enterprise | T1083 | File and Directory Discovery | SysUpdate can search files on a compromised host.1 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | SysUpdate has the ability to set file attributes to hidden.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.002 | DLL Side-Loading | SysUpdate can load DLLs through vulnerable legitimate executables.1 |
| enterprise | T1070 | Indicator Removal on Host | - |
| enterprise | T1070.004 | File Deletion | SysUpdate can delete its configuration file from the targeted system.1 |
| enterprise | T1105 | Ingress Tool Transfer | SysUpdate has the ability to download files to a compromised host.1 |
| enterprise | T1112 | Modify Registry | SysUpdate can write its configuration file to Software\Classes\scConfig in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER.1 |
| enterprise | T1027 | Obfuscated Files or Information | SysUpdate can encrypt and encode its configuration file.1 |
| enterprise | T1027.002 | Software Packing | SysUpdate can use packed binaries.1 |
| enterprise | T1113 | Screen Capture | SysUpdate has the ability to capture screenshots.1 |
| enterprise | T1082 | System Information Discovery | SysUpdate can determine whether a system has a 32 bit or 64 bit architecture.1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | SysUpdate can manage services and processes.1 |
| enterprise | T1047 | Windows Management Instrumentation | SysUpdate can use WMI for execution on a compromised host.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0027 | Threat Group-3390 | 1 |