CHOPSTICK

CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. [1] [2] [3] [4] It is tracked separately from the Android version of the malware.

ID: S0023
Aliases: CHOPSTICK, SPLM, Xagent, X-Agent, webhp
Type: MALWARE
Contributors: Richard Gold, Digital Shadows

Platforms: Windows, Linux

Version: 1.0

Alias Descriptions

NameDescription
CHOPSTICK[1] [2] [3]
SPLM[2] [3]
Xagent[2] [3]
X-Agent[2] [3]
webhp[3]

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceCHOPSTICK is capable of performing remote command execution.[5][2]
EnterpriseT1092Communication Through Removable MediaPart of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines, using files written to USB sticks to transfer data and command traffic.[1][2][6]
EnterpriseT1090Connection ProxyCHOPSTICK used a proxy server between victims and the C2 server.[2]
EnterpriseT1008Fallback ChannelsCHOPSTICK can switch to a new C2 channel if the current one is broken.[2]
EnterpriseT1083File and Directory DiscoveryAn older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.[2]
EnterpriseT1056Input CaptureCHOPSTICK is capable of performing keylogging.[5][2][4]
EnterpriseT1112Modify RegistryCHOPSTICK may store RC4 encrypted configuration information in the Windows Registry.[1]
EnterpriseT1012Query RegistryCHOPSTICK provides access to the Windows Registry, which can be used to gather information.[1]
EnterpriseT1105Remote File CopyCHOPSTICK is capable of performing remote file transmission.[5]
EnterpriseT1091Replication Through Removable MediaPart of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines and using files written to USB sticks to transfer data and command traffic.[1][6]
EnterpriseT1113Screen CaptureCHOPSTICK has the capability to capture screenshots.[4]
EnterpriseT1063Security Software DiscoveryCHOPSTICK checks for anti-virus, forensics, and virtualization software.[1]
EnterpriseT1071Standard Application Layer ProtocolVarious implementations of CHOPSTICK communicate with C2 over HTTP, SMTP, and POP3.[2]
EnterpriseT1032Standard Cryptographic ProtocolCHOPSTICK encrypts C2 communications with RC4 as well as TLS.[2]

Groups

Groups that use this software:

APT28

References