S1222 RIFLESPINE

RIFLESPINE is a cross-platform backdoor that leverages Google Drive for file transfer and command execution.¹

Techniques Used

Domain	ID	Name	Use
enterprise	T1071	Application Layer Protocol	-
enterprise	T1071.001	Web Protocols	RIFLESPINE can use HTTP `GET` and `PUT` to upload and download files.¹
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.004	Unix Shell	RIFLESPINE can execute commands with `/bin/sh`.¹
enterprise	T1543	Create or Modify System Process	-
enterprise	T1543.002	Systemd Service	RIFLESPINE can create a systemd service file for execution.¹
enterprise	T1074	Data Staged	-
enterprise	T1074.001	Local Data Staging	RIFLESPINE can stage the output from executed C2 commands to a temporary file.¹

enterprise	T1140	Deobfuscate/Decode Files or Information	RIFLESPINE can deobfuscate encrypted files prior to execution on targeted hosts.¹
enterprise	T1573	Encrypted Channel	-
enterprise	T1573.001	Symmetric Cryptography	RIFLESPINE can use the AES algorithm to encrypt C2 data.¹
enterprise	T1567	Exfiltration Over Web Service	-
enterprise	T1567.002	Exfiltration to Cloud Storage	RIFLESPINE can upload results from executed C2 commands to cloud storage.¹
enterprise	T1105	Ingress Tool Transfer	RIFLESPINE can download and execute files.¹
enterprise	T1082	System Information Discovery	RIFLESPINE can collect system information after installation on infected systems.¹
enterprise	T1102	Web Service	-
enterprise	T1102.002	Bidirectional Communication	RIFLESPINE can retrieve C2 commands from an encrypted file on Google Drive then upload the results of command execution back to Google Drive.¹

ID	Name	References
G1048	UNC3886	¹