Reaver

Reaver is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the "Five Poisons," which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of Control Panel items.[1]

ID: S0172
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 16 January 2018
Last Modified: 09 February 2021

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Some Reaver variants use HTTP for C2.[1]

Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

Reaver encrypts collected data with an incremental XOR key prior to exfiltration.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.[1]

.009 Boot or Logon Autostart Execution: Shortcut Modification

Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Reaver installs itself as a new service.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Reaver deletes the original dropped file from the victim.[1]

Enterprise T1095 Non-Application Layer Protocol

Some Reaver variants use raw TCP for C2.[1]

Enterprise T1027 Obfuscated Files or Information

Reaver encrypts some of its files with XOR.[1]

Enterprise T1012 Query Registry

Reaver queries the Registry to determine the correct Startup path to use for persistence.[1]

Enterprise T1218 .002 Signed Binary Proxy Execution: Control Panel

Reaver drops and executes a malicious CPL file as its payload.[1]

Enterprise T1082 System Information Discovery

Reaver collects system information from the victim, including CPU speed, computer name, volume serial number, ANSI code page, OEM code page identifier for the OS, Microsoft Windows version, and memory information.[1]

Enterprise T1016 System Network Configuration Discovery

Reaver collects the victim's IP address.[1]

Enterprise T1033 System Owner/User Discovery

Reaver collects the victim's username.[1]

References