Hikit
ID: S0009
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Contributors: Christopher Glyer, Mandiant, @cglyer
Version: 1.3
Created: 31 May 2017
Last Modified: 20 March 2023
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Hikit has the ability to create a remote shell and run given commands.[3] |
| Enterprise | T1005 | Data from Local System | ||
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography | |
| Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
Hikit has used DLL Search Order Hijacking to load |
| Enterprise | T1105 | Ingress Tool Transfer |
Hikit has the ability to download files to a compromised host.[1] |
|
| Enterprise | T1566 | Phishing | ||
| Enterprise | T1090 | .001 | Proxy: Internal Proxy | |
| Enterprise | T1014 | Rootkit | ||
| Enterprise | T1553 | .004 | Subvert Trust Controls: Install Root Certificate |
Hikit installs a self-generated certificate to the local trust store as a root CA and Trusted Publisher.[4] |
| .006 | Subvert Trust Controls: Code Signing Policy Modification |
Hikit has attempted to disable driver signing verification by tampering with several Registry keys prior to the loading of a rootkit driver component.[3] |
||
Groups That Use This Software
References
- Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
- Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016.
- Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020.