Skip to content

S0691 Neoichor

Neoichor is C2 malware used by Ke3chang since at least 2019; similar malware families used by the group include Leeson and Numbldea.1

Item Value
ID S0691
Associated Names
Version 1.0
Created 22 March 2022
Last Modified 11 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Neoichor can use HTTP for C2 communications.1
enterprise T1005 Data from Local System Neoichor can upload files from a victim’s machine.1
enterprise T1070 Indicator Removal Neoichor can clear the browser history on a compromised host by changing the ClearBrowsingHistoryOnExit value to 1 in the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy Registry key.1
enterprise T1105 Ingress Tool Transfer Neoichor can download additional files onto a compromised host.1
enterprise T1559 Inter-Process Communication -
enterprise T1559.001 Component Object Model Neoichor can use the Internet Explorer (IE) COM interface to connect and receive commands from C2.1
enterprise T1112 Modify Registry Neoichor has the ability to configure browser settings by modifying Registry entries under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer.1
enterprise T1082 System Information Discovery Neoichor can collect the OS version and computer name from a compromised host.1
enterprise T1614 System Location Discovery -
enterprise T1614.001 System Language Discovery Neoichor can identify the system language on a compromised host.1
enterprise T1016 System Network Configuration Discovery Neoichor can gather the IP address from an infected host.1
enterprise T1016.001 Internet Connection Discovery Neoichor can check for Internet connectivity by contacting bing[.]com with the request format bing[.]com?id=<GetTickCount>.1
enterprise T1033 System Owner/User Discovery Neoichor can collect the user name from a victim’s machine.1

Groups That Use This Software

ID Name References
G0004 Ke3chang 1