CORESHELL

CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.^[1] ^[2]

Associated Software: Sofacy, SOURFACE

Type: MALWARE

Platforms: Windows

Version: 2.1

Created: 31 May 2017

Last Modified: 30 March 2020

Associated Software Descriptions

Name	Description
Sofacy	This designation has been used in reporting both to refer to the threat group (APT28) and its associated malware.^[1] ^[2]^[3]
SOURFACE	^[1] ^[2]^[3]

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	CORESHELL can communicate over HTTP for C2.^[1]^[4]
		.003	Application Layer Protocol: Mail Protocols	CORESHELL can communicate over SMTP and POP3 for C2.^[1]^[4]
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	CORESHELL has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder.^[4]
Enterprise	T1132	.001	Data Encoding: Standard Encoding	CORESHELL C2 messages are Base64-encoded.^[1]
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	CORESHELL C2 messages are encrypted with custom stream ciphers using six-byte or eight-byte keys.^[1]
Enterprise	T1105		Ingress Tool Transfer	CORESHELL downloads another dropper from its C2 server.^[1]
Enterprise	T1027		Obfuscated Files or Information	CORESHELL obfuscates strings using a custom stream cipher.^[1]
		.001	Binary Padding	CORESHELL contains unused machine instructions in a likely attempt to hinder analysis.^[1]
Enterprise	T1218	.011	Signed Binary Proxy Execution: Rundll32	CORESHELL is installed via execution of rundll32 with an export named "init" or "InitW."^[4]
Enterprise	T1082		System Information Discovery	CORESHELL collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server.^[1]

ID	Name	References
G0007	APT28	^[1]