CHOPSTICK

Malware & Tools · CHOPSTICK

· MalwareS0023 · Zararlı Yazılım

Type

malware

Techniques

Used By

1 groups

Platforms

Windows, Linux

Description

CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. (Citation: FireEye APT28) (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) (Citation: DOJ GRU Indictment Jul 2018) It is tracked separately from the X-Agent for Android.

Tactic Coverage

command and control (9)discovery (4)stealth (2)collection (2)credential access (1)execution (1)lateral movement (1)initial access (1)defense impairment (1)persistence (1)

Used By (1 groups)

G0007APT28IRON TWILIGHT, SNAKEMACKEREL

Techniques (19)

T1008Fallback Channels

command and control

T1012Query Registry

discovery

T1027.011Fileless Storage

stealth

T1056.001Keylogging

collectioncredential access

T1059Command and Scripting Interpreter

execution

T1071.001Web Protocols

command and control

References

https://attack.mitre.org/software/S0023 http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf https://cdn.cnn.com/cnn/2018/images/07/13/gru.indictment.pdf https://www.symantec.com/blogs/election-security/apt28-espionage-military-government