CHOPSTICK
CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. [1] [2] [3] [4] It is tracked separately from the X-Agent for Android.
Associated Software Descriptions
Name | Description |
---|---|
Backdoor.SofacyX | |
SPLM | |
Xagent | |
X-Agent | |
webhp |
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Various implementations of CHOPSTICK communicate with C2 over HTTP.[2] |
.003 | Application Layer Protocol: Mail Protocols |
Various implementations of CHOPSTICK communicate with C2 over SMTP and POP3.[2] |
||
Enterprise | T1059 | Command and Scripting Interpreter |
CHOPSTICK is capable of performing remote command execution.[6][2] |
|
Enterprise | T1092 | Communication Through Removable Media |
Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines, using files written to USB sticks to transfer data and command traffic.[1][2][7] |
|
Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms |
CHOPSTICK can use a DGA for Fallback Channels, domains are generated by concatenating words from lists.[8] |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography | |
.002 | Encrypted Channel: Asymmetric Cryptography | |||
Enterprise | T1008 | Fallback Channels |
CHOPSTICK can switch to a new C2 channel if the current one is broken.[2] |
|
Enterprise | T1083 | File and Directory Discovery |
An older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.[2] |
|
Enterprise | T1105 | Ingress Tool Transfer |
CHOPSTICK is capable of performing remote file transmission.[6] |
|
Enterprise | T1056 | .001 | Input Capture: Keylogging | |
Enterprise | T1112 | Modify Registry |
CHOPSTICK may store RC4 encrypted configuration information in the Windows Registry.[1] |
|
Enterprise | T1090 | .001 | Proxy: Internal Proxy |
CHOPSTICK used a proxy server between victims and the C2 server.[2] |
Enterprise | T1012 | Query Registry |
CHOPSTICK provides access to the Windows Registry, which can be used to gather information.[1] |
|
Enterprise | T1091 | Replication Through Removable Media |
Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines and using files written to USB sticks to transfer data and command traffic.[1][7] |
|
Enterprise | T1113 | Screen Capture | ||
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery | |
Enterprise | T1497 | Virtualization/Sandbox Evasion |
CHOPSTICK includes runtime checks to identify an analysis environment and prevent execution on it.[1] |
Groups That Use This Software
ID | Name | References |
---|---|---|
G0007 | APT28 |
References
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
- Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
- Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
- ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019.
- Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
- Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.