BISCUIT is a backdoor that has been used by APT1 since as early as 2007. [1]

ID: S0017
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

BISCUIT has a command to launch a command shell on the system.[2]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

BISCUIT uses SSL for encrypting C2 communications.[2]

Enterprise T1008 Fallback Channels

BISCUIT malware contains a secondary fallback command and control server that is contacted after the primary command and control server.[1][2]

Enterprise T1105 Ingress Tool Transfer

BISCUIT has a command to download a file from the C2 server.[2]

Enterprise T1056 .001 Input Capture: Keylogging

BISCUIT can capture keystrokes.[2]

Enterprise T1057 Process Discovery

BISCUIT has a command to enumerate running processes and identify their owners.[2]

Enterprise T1113 Screen Capture

BISCUIT has a command to periodically take screenshots of the system.[2]

Enterprise T1082 System Information Discovery

BISCUIT has a command to collect the processor type, operation system, computer name, uptime, and whether the system is a laptop or PC.[2]

Enterprise T1033 System Owner/User Discovery

BISCUIT has a command to gather the username from the system.[2]

Groups That Use This Software

ID Name References
G0006 APT1