Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise. [1] [2]

ID: S0009
Platforms: Windows
Contributors: Christopher Glyer, FireEye, @cglyer
Version: 1.1
Created: 31 May 2017
Last Modified: 13 May 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Hikit has used HTTP for C2.[3]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Hikit has the ability to create a remote shell and run given commands. [3]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Hikit performs XOR encryption.[1]

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Hikit has used DLL Search Order Hijacking to load oci.dll as a persistence mechanism.[2]

Enterprise T1090 .001 Proxy: Internal Proxy

Hikit supports peer connections.[1]

Enterprise T1014 Rootkit

Hikit is a Rootkit that has been used by Axiom.[2] [3]

Enterprise T1553 .004 Subvert Trust Controls: Install Root Certificate

Hikit uses certmgr.exe -add GlobalSign.cer -c -s -r localMachine Root and certmgr.exe -add GlobalSign.cer -c -s -r localMachineTrustedPublisher to install a self-generated certificate to the local trust store as a root CA and Trusted Publisher.[3]

Groups That Use This Software

ID Name References
G0001 Axiom