SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. Hikit

Hikit

Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise. [1] [2]

ID: S0009
Type: MALWARE
Platforms: Windows
Contributors: Christopher Glyer, FireEye, @cglyer
Version: 1.1
Created: 31 May 2017
Last Modified: 13 May 2020
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Hikit has used HTTP for C2.[3]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Hikit has the ability to create a remote shell and run given commands. [3]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Hikit performs XOR encryption.[1]
Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Hikit has used DLL Search Order Hijacking to load oci.dll as a persistence mechanism.[2]
Enterprise T1090 .001 Proxy: Internal Proxy

Hikit supports peer connections.[1]
Enterprise T1014 Rootkit

Hikit is a Rootkit that has been used by Axiom.[2] [3]

Enterprise T1553 .004 Subvert Trust Controls: Install Root Certificate

Hikit uses certmgr.exe -add GlobalSign.cer -c -s -r localMachine Root and certmgr.exe -add GlobalSign.cer -c -s -r localMachineTrustedPublisher to install a self-generated certificate to the local trust store as a root CA and Trusted Publisher.[3]

Groups That Use This Software

ID Name References
G0001 Axiom

[1]

References

  1. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  2. Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016.
  1. Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020.