S1099 Samurai
Samurai is a passive backdoor that has been used by ToddyCat since at least 2020. Samurai allows arbitrary C# code execution and is used with multiple modules for remote administration and lateral movement.1
| Item | Value |
|---|---|
| ID | S1099 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 04 January 2024 |
| Last Modified | 04 January 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Samurai can use a .NET HTTPListener class to receive and handle HTTP POST requests.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Samurai can use a remote command module for execution via the Windows command line.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Samurai can create a service at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost to trigger execution and maintain persistence.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Samurai can base64 encode data sent in C2 communications prior to its encryption.1 |
| enterprise | T1005 | Data from Local System | Samurai can leverage an exfiltration module to download arbitrary files from compromised machines.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Samurai can encrypt C2 communications with AES.1 |
| enterprise | T1083 | File and Directory Discovery | Samurai can use a specific module for file enumeration.1 |
| enterprise | T1105 | Ingress Tool Transfer | Samurai has been used to deploy other malware including Ninja.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | Samurai has created the directory %COMMONPROGRAMFILES%\Microsoft Shared\wmi\ to contain DLLs for loading successive stages.1 |
| enterprise | T1112 | Modify Registry | The Samurai loader component can create multiple Registry keys to force the svchost.exe process to load the final backdoor.1 |
| enterprise | T1106 | Native API | Samurai has the ability to call Windows APIs.1 |
| enterprise | T1095 | Non-Application Layer Protocol | Samurai can use a proxy module to forward TCP packets to external hosts.1 |
| enterprise | T1027 | Obfuscated Files or Information | Samurai can encrypt the names of requested APIs.1 |
| enterprise | T1027.004 | Compile After Delivery | Samurai can compile and execute downloaded modules at runtime.1 |
| enterprise | T1027.007 | Dynamic API Resolution | Samurai can encrypt API name strings with an XOR-based algorithm.1 |
| enterprise | T1027.015 | Compression | Samurai can deliver its final payload as a compressed, encrypted and base64-encoded blob.1 |
| enterprise | T1090 | Proxy | Samurai has the ability to proxy connections to specified remote IPs and ports through a a proxy module.1 |
| enterprise | T1012 | Query Registry | Samurai can query SOFTWARE\Microsoft\.NETFramework\policy\v2.0 for discovery.1 |
| enterprise | T1518 | Software Discovery | Samurai can check for the presence and version of the .NET framework.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1022 | ToddyCat | 1 |