Currently viewing ATT&CK v10.1 which was live between October 21, 2021 and April 24, 2022. Learn more about the versioning system or see the live site.
  1. Home
  2. Software
  3. WEBC2

WEBC2

WEBC2 is a family of backdoor malware used by APT1 as early as July 2006. WEBC2 backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. [1][2]

ID: S0109
Type: MALWARE
Platforms: Windows
Contributors: Wes Hurd
Version: 2.0
Created: 31 May 2017
Last Modified: 25 August 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

WEBC2 can open an interactive command shell.[2]
Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Variants of WEBC2 achieve persistence by using DLL search order hijacking, usually by copying the DLL file to %SYSTEMROOT% (C:\WINDOWS\ntshrui.dll).[1]
Enterprise T1105 Ingress Tool Transfer

WEBC2 can download and execute a file.[2]

Groups That Use This Software

ID Name References
G0006 APT1

[2]

References

  1. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  1. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.