Skip to content

S0667 Chrommme

Chrommme is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with Gelsemium malware.1

Item Value
ID S0667
Associated Names
Version 1.0
Created 01 December 2021
Last Modified 04 May 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data Chrommme can encrypt and store on disk collected data before exfiltration.1
enterprise T1005 Data from Local System Chrommme can collect data from a local system.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Chrommme can store captured system information locally prior to exfiltration.1
enterprise T1140 Deobfuscate/Decode Files or Information Chrommme can decrypt its encrypted internal code.1
enterprise T1041 Exfiltration Over C2 Channel Chrommme can exfiltrate collected data via C2.1
enterprise T1105 Ingress Tool Transfer Chrommme can download its code from C2.1
enterprise T1106 Native API Chrommme can use Windows API including WinExec for execution.1
enterprise T1027 Obfuscated Files or Information Chrommme can encrypt sections of its code to evade detection.1
enterprise T1029 Scheduled Transfer Chrommme can set itself to sleep before requesting a new command from C2.1
enterprise T1113 Screen Capture Chrommme has the ability to capture screenshots.1
enterprise T1082 System Information Discovery Chrommme has the ability to list drives and obtain the computer name of a compromised host.1
enterprise T1016 System Network Configuration Discovery Chrommme can enumerate the IP address of a compromised host.1
enterprise T1033 System Owner/User Discovery Chrommme can retrieve the username from a targeted system.1