S0667 Chrommme
Chrommme is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with Gelsemium malware.1
| Item | Value |
|---|---|
| ID | S0667 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 01 December 2021 |
| Last Modified | 04 May 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1560 | Archive Collected Data | Chrommme can encrypt and store on disk collected data before exfiltration.1 |
| enterprise | T1005 | Data from Local System | Chrommme can collect data from a local system.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | Chrommme can store captured system information locally prior to exfiltration.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Chrommme can decrypt its encrypted internal code.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Chrommme can exfiltrate collected data via C2.1 |
| enterprise | T1105 | Ingress Tool Transfer | Chrommme can download its code from C2.1 |
| enterprise | T1106 | Native API | Chrommme can use Windows API including WinExec for execution.1 |
| enterprise | T1027 | Obfuscated Files or Information | Chrommme can encrypt sections of its code to evade detection.1 |
| enterprise | T1029 | Scheduled Transfer | Chrommme can set itself to sleep before requesting a new command from C2.1 |
| enterprise | T1113 | Screen Capture | Chrommme has the ability to capture screenshots.1 |
| enterprise | T1082 | System Information Discovery | Chrommme has the ability to list drives and obtain the computer name of a compromised host.1 |
| enterprise | T1016 | System Network Configuration Discovery | Chrommme can enumerate the IP address of a compromised host.1 |
| enterprise | T1033 | System Owner/User Discovery | Chrommme can retrieve the username from a targeted system.1 |