Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. CORALDECK

CORALDECK

CORALDECK is an exfiltration tool used by APT37. [1]

ID: S0212
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 18 April 2018
Last Modified: 30 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

CORALDECK has created password-protected RAR, WinImage, and zip archives to be exfiltrated.[1]
Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

CORALDECK has exfiltrated data in HTTP POST headers.[1]
Enterprise T1083 File and Directory Discovery

CORALDECK searches for specified files.[1]

Groups That Use This Software

ID Name References
G0067 APT37

[1]

References

  1. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.