BackConfig is a custom Trojan with a flexible plugin architecture that has been used by Patchwork.[1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
BackConfig has the ability to use HTTPS for C2 communiations.[1] |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
BackConfig can download and run batch files to execute commands on a compromised host.[1] |
.005 | Command and Scripting Interpreter: Visual Basic |
BackConfig has used VBS to install its downloader component and malicious documents with VBA macro code.[1] |
||
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
BackConfig has used a custom routine to decrypt strings.[1] |
|
Enterprise | T1083 | File and Directory Discovery |
BackConfig has the ability to identify folders and files related to previous infections.[1] |
|
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
BackConfig has the ability to set folders or files to be hidden from the Windows Explorer default view.[1] |
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
BackConfig has the ability to remove files and folders related to previous infections.[1] |
Enterprise | T1105 | Ingress Tool Transfer |
BackConfig can download and execute additional payloads on a compromised host.[1] |
|
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
BackConfig has hidden malicious payloads in |
Enterprise | T1106 | Native API |
BackConfig can leverage API functions such as |
|
Enterprise | T1027 | Obfuscated Files or Information |
BackConfig has used compressed and decimal encoded VBS scripts.[1] |
|
Enterprise | T1137 | .001 | Office Application Startup: Office Template Macros |
BackConfig has the ability to use hidden columns in Excel spreadsheets to store executable files or commands for VBA macros.[1] |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
BackConfig has the ability to use scheduled tasks to repeatedly execute malicious payloads on a compromised host.[1] |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
BackConfig has been signed with self signed digital certificates mimicking a legitimate software company.[1] |
Enterprise | T1082 | System Information Discovery |
BackConfig has the ability to gather the victim's computer name.[1] |
|
Enterprise | T1204 | .001 | User Execution: Malicious Link |
BackConfig has compromised victims via links to URLs hosting malicious content.[1] |
ID | Name | References |
---|---|---|
G0040 | Patchwork |