1. Home
  2. Software
  3. CHOPSTICK

CHOPSTICK

CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. [1] [2] [3] [4] It is tracked separately from the X-Agent for Android.

ID: S0023
Associated Software: Backdoor.SofacyX, SPLM, Xagent, X-Agent, webhp
Type: MALWARE
Platforms: Windows, Linux
Contributors: Richard Gold, Digital Shadows
Version: 2.3
Created: 31 May 2017
Last Modified: 26 March 2023
Version Permalink

Associated Software Descriptions

Name Description
Backdoor.SofacyX

[5]
SPLM

[2] [3]
Xagent

[2] [3]
X-Agent

[2] [3]
webhp

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Various implementations of CHOPSTICK communicate with C2 over HTTP.[2]
.003 Application Layer Protocol: Mail Protocols

Various implementations of CHOPSTICK communicate with C2 over SMTP and POP3.[2]
Enterprise T1059 Command and Scripting Interpreter

CHOPSTICK is capable of performing remote command execution.[6][2]
Enterprise T1092 Communication Through Removable Media

Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines, using files written to USB sticks to transfer data and command traffic.[1][2][7]
Enterprise T1568 .002 Dynamic Resolution: Domain Generation Algorithms

CHOPSTICK can use a DGA for Fallback Channels, domains are generated by concatenating words from lists.[8]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

CHOPSTICK encrypts C2 communications with RC4.[2]
.002 Encrypted Channel: Asymmetric Cryptography

CHOPSTICK encrypts C2 communications with TLS.[2]
Enterprise T1008 Fallback Channels

CHOPSTICK can switch to a new C2 channel if the current one is broken.[2]
Enterprise T1083 File and Directory Discovery

An older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.[2]
Enterprise T1105 Ingress Tool Transfer

CHOPSTICK is capable of performing remote file transmission.[6]
Enterprise T1056 .001 Input Capture: Keylogging

CHOPSTICK is capable of performing keylogging.[6][2][4]
Enterprise T1112 Modify Registry

CHOPSTICK may modify Registry keys to store RC4 encrypted configuration information.[1]
Enterprise T1027 .011 Obfuscated Files or Information: Fileless Storage

CHOPSTICK may store RC4 encrypted configuration information in the Windows Registry.[1]
Enterprise T1090 .001 Proxy: Internal Proxy

CHOPSTICK used a proxy server between victims and the C2 server.[2]
Enterprise T1012 Query Registry

CHOPSTICK provides access to the Windows Registry, which can be used to gather information.[1]
Enterprise T1091 Replication Through Removable Media

Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines and using files written to USB sticks to transfer data and command traffic.[1][7][9]
Enterprise T1113 Screen Capture

CHOPSTICK has the capability to capture screenshots.[4]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

CHOPSTICK checks for antivirus and forensics software.[1]
Enterprise T1497 Virtualization/Sandbox Evasion

CHOPSTICK includes runtime checks to identify an analysis environment and prevent execution on it.[1]

Groups That Use This Software

ID Name References
G0007 APT28

[1][10][11][9]

References

  1. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  2. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  3. FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
  4. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  5. Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
  6. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  1. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  2. ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019.
  3. Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.
  4. Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  5. Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.