BISCUIT is a backdoor that has been used by APT1 since as early as 2007. [1]

ID: S0017
Platforms: Windows

Version: 1.1

Techniques Used

EnterpriseT1059Command-Line InterfaceBISCUIT has a command to launch a command shell on the system.[2]
EnterpriseT1094Custom Command and Control ProtocolBISCUIT communicates to the C2 server using a custom protocol.[2]
EnterpriseT1008Fallback ChannelsBISCUIT malware contains a secondary fallback command and control server that is contacted after the primary command and control server.[1][2]
EnterpriseT1056Input CaptureBISCUIT can capture keystrokes.[2]
EnterpriseT1057Process DiscoveryBISCUIT has a command to enumerate running processes and identify their owners.[2]
EnterpriseT1105Remote File CopyBISCUIT has a command to download a file from the C2 server.[2]
EnterpriseT1113Screen CaptureBISCUIT has a command to periodically take screenshots of the system.[2]
EnterpriseT1032Standard Cryptographic ProtocolBISCUIT uses SSL for encrypting C2 communications.[2]
EnterpriseT1082System Information DiscoveryBISCUIT has a command to collect the processor type, operation system, computer name, uptime, and whether the system is a laptop or PC.[2]
EnterpriseT1033System Owner/User DiscoveryBISCUIT has a command to gather the username from the system.[2]


Groups that use this software: