S1019 Shark
Shark is a backdoor malware written in C# and .NET that is an updated version of Milan; it has been used by HEXANE since at least July 2021.21
| Item | Value |
|---|---|
| ID | S1019 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 10 June 2022 |
| Last Modified | 31 August 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Shark has the ability to use HTTP in C2 communications.21 |
| enterprise | T1071.004 | DNS | Shark can use DNS in C2 communications.21 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Shark has the ability to use CMD to execute commands.21 |
| enterprise | T1005 | Data from Local System | Shark can upload files to its C2.21 |
| enterprise | T1074 | Data Staged | Shark has stored information in folders named U1 and U2 prior to exfiltration.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Shark can extract and decrypt downloaded .zip files.2 |
| enterprise | T1568 | Dynamic Resolution | - |
| enterprise | T1568.002 | Domain Generation Algorithms | Shark can send DNS C2 communications using a unique domain generation algorithm.21 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Shark has the ability to upload files from the compromised host over a DNS or HTTP C2 channel.2 |
| enterprise | T1008 | Fallback Channels | Shark can update its configuration to use a different C2 server.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Shark can delete files downloaded to the compromised host.2 |
| enterprise | T1105 | Ingress Tool Transfer | Shark can download additional files from its C2 via HTTP or DNS.21 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Shark binaries have been named audioddg.pdb and Winlangdb.pdb in order to appear legitimate.2 |
| enterprise | T1027 | Obfuscated Files or Information | Shark can use encrypted and encoded files for C2 configuration.21 |
| enterprise | T1012 | Query Registry | Shark can query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid to retrieve the machine GUID.1 |
| enterprise | T1029 | Scheduled Transfer | Shark can pause C2 communications for a specified time.2 |
| enterprise | T1082 | System Information Discovery | Shark can collect the GUID of a targeted machine.21 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | Shark can stop execution if the screen width of the targeted machine is not over 600 pixels.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1001 | HEXANE | 31 |
References
-
Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022. ↩↩↩↩↩↩↩↩↩↩↩
-
ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. ↩