Skip to content

S1019 Shark

Shark is a backdoor malware written in C# and .NET that is an updated version of Milan; it has been used by HEXANE since at least July 2021.21

Item Value
ID S1019
Associated Names
Version 1.0
Created 10 June 2022
Last Modified 31 August 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Shark has the ability to use HTTP in C2 communications.21
enterprise T1071.004 DNS Shark can use DNS in C2 communications.21
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Shark has the ability to use CMD to execute commands.21
enterprise T1005 Data from Local System Shark can upload files to its C2.21
enterprise T1074 Data Staged Shark has stored information in folders named U1 and U2 prior to exfiltration.2
enterprise T1140 Deobfuscate/Decode Files or Information Shark can extract and decrypt downloaded .zip files.2
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms Shark can send DNS C2 communications using a unique domain generation algorithm.21
enterprise T1041 Exfiltration Over C2 Channel Shark has the ability to upload files from the compromised host over a DNS or HTTP C2 channel.2
enterprise T1008 Fallback Channels Shark can update its configuration to use a different C2 server.2
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Shark can delete files downloaded to the compromised host.2
enterprise T1105 Ingress Tool Transfer Shark can download additional files from its C2 via HTTP or DNS.21
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Shark binaries have been named audioddg.pdb and Winlangdb.pdb in order to appear legitimate.2
enterprise T1027 Obfuscated Files or Information Shark can use encrypted and encoded files for C2 configuration.21
enterprise T1012 Query Registry Shark can query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid to retrieve the machine GUID.1
enterprise T1029 Scheduled Transfer Shark can pause C2 communications for a specified time.2
enterprise T1082 System Information Discovery Shark can collect the GUID of a targeted machine.21
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks Shark can stop execution if the screen width of the targeted machine is not over 600 pixels.2

Groups That Use This Software

ID Name References
G1001 HEXANE 31