S0691 Neoichor
Neoichor is C2 malware used by Ke3chang since at least 2019; similar malware families used by the group include Leeson and Numbldea.1
| Item | Value |
|---|---|
| ID | S0691 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 22 March 2022 |
| Last Modified | 11 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Neoichor can use HTTP for C2 communications.1 |
| enterprise | T1005 | Data from Local System | Neoichor can upload files from a victim’s machine.1 |
| enterprise | T1070 | Indicator Removal | Neoichor can clear the browser history on a compromised host by changing the ClearBrowsingHistoryOnExit value to 1 in the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy Registry key.1 |
| enterprise | T1105 | Ingress Tool Transfer | Neoichor can download additional files onto a compromised host.1 |
| enterprise | T1559 | Inter-Process Communication | - |
| enterprise | T1559.001 | Component Object Model | Neoichor can use the Internet Explorer (IE) COM interface to connect and receive commands from C2.1 |
| enterprise | T1112 | Modify Registry | Neoichor has the ability to configure browser settings by modifying Registry entries under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer.1 |
| enterprise | T1082 | System Information Discovery | Neoichor can collect the OS version and computer name from a compromised host.1 |
| enterprise | T1614 | System Location Discovery | - |
| enterprise | T1614.001 | System Language Discovery | Neoichor can identify the system language on a compromised host.1 |
| enterprise | T1016 | System Network Configuration Discovery | Neoichor can gather the IP address from an infected host.1 |
| enterprise | T1016.001 | Internet Connection Discovery | Neoichor can check for Internet connectivity by contacting bing[.]com with the request format bing[.]com?id=<GetTickCount>.1 |
| enterprise | T1033 | System Owner/User Discovery | Neoichor can collect the user name from a victim’s machine.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0004 | Ke3chang | 1 |