CHOPSTICK

CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. [1] [2] [3] [4] It is tracked separately from the X-Agent for Android.

ID: S0023
Associated Software: Backdoor.SofacyX, SPLM, Xagent, X-Agent, webhp
Type: MALWARE
Platforms: Windows, Linux
Contributors: Richard Gold, Digital Shadows
Version: 2.3
Created: 31 May 2017
Last Modified: 26 March 2023

Associated Software Descriptions

Name Description
Backdoor.SofacyX

[5]

SPLM

[2] [3]

Xagent

[2] [3]

X-Agent

[2] [3]

webhp

[3]

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Various implementations of CHOPSTICK communicate with C2 over HTTP.[2]

.003 Application Layer Protocol: Mail Protocols

Various implementations of CHOPSTICK communicate with C2 over SMTP and POP3.[2]

Enterprise T1059 Command and Scripting Interpreter

CHOPSTICK is capable of performing remote command execution.[6][2]

Enterprise T1092 Communication Through Removable Media

Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines, using files written to USB sticks to transfer data and command traffic.[1][2][7]

Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

CHOPSTICK can use a DGA for Fallback Channels, domains are generated by concatenating words from lists.[8]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

CHOPSTICK encrypts C2 communications with RC4.[2]

.002 Encrypted Channel: Asymmetric Cryptography

CHOPSTICK encrypts C2 communications with TLS.[2]

Enterprise T1008 Fallback Channels

CHOPSTICK can switch to a new C2 channel if the current one is broken.[2]

Enterprise T1083 File and Directory Discovery

An older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.[2]

Enterprise T1105 Ingress Tool Transfer

CHOPSTICK is capable of performing remote file transmission.[6]

Enterprise T1056 .001 Input Capture: Keylogging

CHOPSTICK is capable of performing keylogging.[6][2][4]

Enterprise T1112 Modify Registry

CHOPSTICK may modify Registry keys to store RC4 encrypted configuration information.[1]

Enterprise T1027 .011 Obfuscated Files or Information: Fileless Storage

CHOPSTICK may store RC4 encrypted configuration information in the Windows Registry.[1]

Enterprise T1090 .001 Proxy: Internal Proxy

CHOPSTICK used a proxy server between victims and the C2 server.[2]

Enterprise T1012 Query Registry

CHOPSTICK provides access to the Windows Registry, which can be used to gather information.[1]

Enterprise T1091 Replication Through Removable Media

Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines and using files written to USB sticks to transfer data and command traffic.[1][7][9]

Enterprise T1113 Screen Capture

CHOPSTICK has the capability to capture screenshots.[4]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

CHOPSTICK checks for antivirus and forensics software.[1]

Enterprise T1497 Virtualization/Sandbox Evasion

CHOPSTICK includes runtime checks to identify an analysis environment and prevent execution on it.[1]

Groups That Use This Software

ID Name References
G0007 APT28

[1][10][11][9]

References