Skip to content

S0663 SysUpdate

SysUpdate is a backdoor written in C++ that has been used by Threat Group-3390 since at least 2020.1

Item Value
ID S0663
Associated Names HyperSSL, Soldier, FOCUSFJORD
Version 1.0
Created 29 November 2021
Last Modified 15 April 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
HyperSSL 1
Soldier 1

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder SysUpdate can use a Registry Run key to establish persistence.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service SysUpdate can create a service to establish persistence.1
enterprise T1140 Deobfuscate/Decode Files or Information SysUpdate can deobfuscate packed binaries in memory.1
enterprise T1083 File and Directory Discovery SysUpdate can search files on a compromised host.1
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories SysUpdate has the ability to set file attributes to hidden.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading SysUpdate can load DLLs through vulnerable legitimate executables.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion SysUpdate can delete its configuration file from the targeted system.1
enterprise T1105 Ingress Tool Transfer SysUpdate has the ability to download files to a compromised host.1
enterprise T1112 Modify Registry SysUpdate can write its configuration file to Software\Classes\scConfig in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER.1
enterprise T1027 Obfuscated Files or Information SysUpdate can encrypt and encode its configuration file.1
enterprise T1027.002 Software Packing SysUpdate can use packed binaries.1
enterprise T1113 Screen Capture SysUpdate has the ability to capture screenshots.1
enterprise T1082 System Information Discovery SysUpdate can determine whether a system has a 32 bit or 64 bit architecture.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution SysUpdate can manage services and processes.1
enterprise T1047 Windows Management Instrumentation SysUpdate can use WMI for execution on a compromised host.1

Groups That Use This Software

ID Name References
G0027 Threat Group-3390 1


Back to top