Skip to content

S1035 Small Sieve

Small Sieve is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by MuddyWater since at least January 2022.12

Security researchers have also noted Small Sieve‘s use by UNC3313, which may be associated with MuddyWater.3

Item Value
ID S1035
Associated Names GRAMDOOR
Version 1.0
Created 16 August 2022
Last Modified 14 October 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Small Sieve can contact actor-controlled C2 servers by using the Telegram API over HTTPS.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Small Sieve has the ability to add itself to HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OutlookMicrosift for persistence.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Small Sieve can use cmd.exe to execute commands on a victim’s system.2
enterprise T1059.006 Python Small Sieve can use Python scripts to execute commands.2
enterprise T1132 Data Encoding -
enterprise T1132.002 Non-Standard Encoding Small Sieve can use a custom hex byte swapping encoding scheme to obfuscate tasking traffic.12
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography Small Sieve can use SSL/TLS for its HTTPS Telegram Bot API-based C2 channel.1
enterprise T1480 Execution Guardrails Small Sieve can only execute correctly if the word Platypus is passed to it on the command line.2
enterprise T1105 Ingress Tool Transfer Small Sieve has the ability to download files.2
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Small Sieve can use variations of Microsoft and Outlook spellings, such as “Microsift”, in its file names to avoid detection.2
enterprise T1027 Obfuscated Files or Information Small Sieve has the ability to use a custom hex byte swapping encoding scheme combined with an obfuscated Base64 function to protect program strings and Telegram credentials.2
enterprise T1016 System Network Configuration Discovery Small Sieve can obtain the IP address of a victim host.2
enterprise T1033 System Owner/User Discovery Small Sieve can obtain the id of a logged in user.2
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication Small Sieve has the ability to use the Telegram Bot API from Telegram Messenger to send and receive messages.2

Groups That Use This Software

ID Name References
G0069 MuddyWater 12