S1149 CHIMNEYSWEEP
CHIMNEYSWEEP is a backdoor malware that was deployed during HomeLand Justice along with ROADSWEEP ransomware, and has been used to target Farsi and Arabic speakers since at least 2012.1
| Item | Value |
|---|---|
| ID | S1149 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 07 August 2024 |
| Last Modified | 09 August 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | CHIMNEYSWEEP can make use of the Windows SilentCleanup scheduled task to execute its payload with elevated privileges.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | CHIMNEYSWEEP can send HTTP GET requests to C2.1 |
| enterprise | T1115 | Clipboard Data | CHIMNEYSWEEP can capture content from the clipboard.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | CHIMNEYSWEEP can invoke the PowerShell command [Reflection.Assembly]::LoadFile(\"%s\")\n$i=\"\"\n$r=[%s]::%s(\"%s\",[ref] $i)\necho $r,$i\n to execute secondary payloads.1 |
| enterprise | T1059.005 | Visual Basic | CHIMNEYSWEEP has executed a script named cln.vbs on compromised hosts.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.002 | Non-Standard Encoding | CHIMNEYSWEEP can use a custom Base64 alphabet for encoding C2.1 |
| enterprise | T1005 | Data from Local System | CHIMNEYSWEEP can collect files from compromised hosts.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | CHIMNEYSWEEP can store captured screenshots to disk including to a covert store named APPX.%x%x%x%x%x.tmp where %x is a random value.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | CHIMNEYSWEEP can use an embedded RC4 key to decrypt Windows API function strings.1 |
| enterprise | T1480 | Execution Guardrails | CHIMNEYSWEEP can execute a task which leads to execution if it finds a process name containing “creensaver.”1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | CHIMNEYSWEEP can upload collected files to the command-and-control server.1 |
| enterprise | T1083 | File and Directory Discovery | CHIMNEYSWEEP has the ability to enumerate directories for files that match a set list.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.006 | Timestomp | CHIMNEYSWEEP can time stomp its executable, previously dating it between 2010 to 2021.1 |
| enterprise | T1105 | Ingress Tool Transfer | CHIMNEYSWEEP can download additional files from C2.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | CHIMNEYSWEEP has the ability to support keylogging.1 |
| enterprise | T1112 | Modify Registry | CHIMNEYSWEEP can use the Windows Registry Environment key to change the %windir% variable to point to c:\Windows to enable payload execution.1 |
| enterprise | T1106 | Native API | CHIMNEYSWEEP can use Windows APIs including LoadLibrary and GetProcAddress.1 |
| enterprise | T1027 | Obfuscated Files or Information | CHIMNEYSWEEP can use a custom Base64 alphabet to encode an API decryption key.1 |
| enterprise | T1027.001 | Binary Padding | The CHIMNEYSWEEP installer has been padded with null bytes to inflate its size.1 |
| enterprise | T1027.007 | Dynamic API Resolution | CHIMNEYSWEEP can use LoadLibrary and GetProcAddress to resolve Windows API function strings at run time.1 |
| enterprise | T1027.009 | Embedded Payloads | CHIMNEYSWEEP can extract RC4 encrypted embedded payloads for privilege escalation.1 |
| enterprise | T1120 | Peripheral Device Discovery | CHIMNEYSWEEP can monitor for removable drives.1 |
| enterprise | T1057 | Process Discovery | CHIMNEYSWEEP can check if a process name contains “creensaver.”1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | CHIMNEYSWEEP can use the Windows SilentCleanup scheduled task to enable payload execution.1 |
| enterprise | T1113 | Screen Capture | CHIMNEYSWEEP can capture screenshots on targeted systems using a timer and either upload them or store them to disk.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | CHIMNEYSWEEP is capable of checking whether a compromised device is running DeepFreeze by Faronics.1 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | CHIMNEYSWEEP has been dropped by a self-extracting archive signed with a valid digital certificate.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.003 | CMSTP | CHIMNEYSWEEP can use CMSTP.exe to install a malicious Microsoft Connection Manager Profile.1 |
| enterprise | T1033 | System Owner/User Discovery | CHIMNEYSWEEP has included the victim’s computer name and username in C2 messages sent to actor-owned infrastructure.1 |
| enterprise | T1529 | System Shutdown/Reboot | CHIMNEYSWEEP can reboot or shutdown the targeted system or logoff the current user.1 |
| enterprise | T1102 | Web Service | CHIMNEYSWEEP has the ability to use use Telegram channels to return a list of commands to be executed, to download additional payloads, or to create a reverse shell.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1001 | HEXANE | HEXANE probed victim infrastructure in support of HomeLand Justice.2 |
References
-
Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024. ↩