ShimRat
ShimRat has been used by the suspected China-based adversary Mofang in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name "ShimRat" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
ShimRat has hijacked the cryptbase.dll within migwiz.exe to escalate privileges. This prevented the User Access Control window from appearing.[1] |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
ShimRat communicated over HTTP and HTTPS with C2 servers.[1] |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
ShimRat has installed a registry based start-up key |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
ShimRat can be issued a command shell function from the C2.[1] |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
ShimRat has installed a Windows service to maintain persistence on victim machines.[1] |
| Enterprise | T1005 | Data from Local System |
ShimRat has the capability to upload collected files to a C2.[1] |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
ShimRat has decompressed its core DLL using shellcode once an impersonated antivirus component was running on a system.[1] |
|
| Enterprise | T1546 | .011 | Event Triggered Execution: Application Shimming |
ShimRat has installed shim databases in the |
| Enterprise | T1008 | Fallback Channels |
ShimRat has used a secondary C2 location if the first was unavailable.[1] |
|
| Enterprise | T1083 | File and Directory Discovery | ||
| Enterprise | T1574 | Hijack Execution Flow |
ShimRat can hijack the cryptbase.dll within migwiz.exe to escalate privileges and bypass UAC controls.[1] |
|
| Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
ShimRat can uninstall itself from compromised hosts, as well create and modify directories, delete, move, copy, and rename files.[1] |
| Enterprise | T1105 | Ingress Tool Transfer | ||
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
ShimRat can impersonate Windows services and antivirus products to avoid detection on compromised systems.[1] |
| Enterprise | T1112 | Modify Registry |
ShimRat has registered two registry keys for shim databases.[1] |
|
| Enterprise | T1106 | Native API |
ShimRat has used Windows API functions to install the service and shim.[1] |
|
| Enterprise | T1135 | Network Share Discovery |
ShimRat can enumerate connected drives for infected host machines.[1] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
ShimRat has been delivered as a package that includes compressed DLL and shellcode payloads within a .dat file.[1] |
|
| .002 | Software Packing |
ShimRat's loader has been packed with the compressed ShimRat core DLL and the legitimate DLL for it to hijack.[1] |
||
| Enterprise | T1090 | .002 | Proxy: External Proxy | |
| Enterprise | T1029 | Scheduled Transfer | ||
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0103 | Mofang |