1. Home
  2. Software
  3. BADFLICK

BADFLICK

BADFLICK is a backdoor used by Leviathan in spearphishing campaigns first reported in 2018 that targeted the U.S. engineering and maritime industries.[1][2]

ID: S0642
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 26 August 2021
Last Modified: 15 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1560 .002 Archive Collected Data: Archive via Library

BADFLICK has compressed data using the aPLib compression library.[2]
Enterprise T1005 Data from Local System

BADFLICK has uploaded files from victims' machines.[2]
Enterprise T1140 Deobfuscate/Decode Files or Information

BADFLICK can decode shellcode using a custom rotating XOR cipher.[2]
Enterprise T1083 File and Directory Discovery

BADFLICK has searched for files on the infected host.[2]
Enterprise T1105 Ingress Tool Transfer

BADFLICK has download files from its C2 server.[2]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

BADFLICK has been distributed via spearphishing campaigns containing malicious Microsoft Word documents.[2]
Enterprise T1082 System Information Discovery

BADFLICK has captured victim computer name, memory space, and CPU details.[2]
Enterprise T1016 System Network Configuration Discovery

BADFLICK has captured victim IP address details.[2]
Enterprise T1204 .002 User Execution: Malicious File

BADFLICK has relied upon users clicking on a malicious attachment delivered through spearphishing.[2]
Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

BADFLICK has delayed communication to the actor-controlled IP address by 5 minutes.[2]

Groups That Use This Software

ID Name References
G0065 Leviathan

[1][2]

References

  1. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  1. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.