CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants.     It is tracked separately from the X-Agent for Android.
Associated Software Descriptions
|Enterprise||T1059||Command-Line Interface||CHOPSTICK is capable of performing remote command execution.|
|Enterprise||T1092||Communication Through Removable Media||Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines, using files written to USB sticks to transfer data and command traffic.|
|Enterprise||T1090||Connection Proxy||CHOPSTICK used a proxy server between victims and the C2 server.|
|Enterprise||T1483||Domain Generation Algorithms||CHOPSTICK can use a DGA for Fallback Channels, domains are generated by concatenating words from lists.|
|Enterprise||T1008||Fallback Channels||CHOPSTICK can switch to a new C2 channel if the current one is broken.|
|Enterprise||T1083||File and Directory Discovery||An older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.|
|Enterprise||T1056||Input Capture||CHOPSTICK is capable of performing keylogging.|
|Enterprise||T1112||Modify Registry||CHOPSTICK may store RC4 encrypted configuration information in the Windows Registry.|
|Enterprise||T1012||Query Registry||CHOPSTICK provides access to the Windows Registry, which can be used to gather information.|
|Enterprise||T1105||Remote File Copy||CHOPSTICK is capable of performing remote file transmission.|
|Enterprise||T1091||Replication Through Removable Media||Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines and using files written to USB sticks to transfer data and command traffic.|
|Enterprise||T1113||Screen Capture||CHOPSTICK has the capability to capture screenshots.|
|Enterprise||T1063||Security Software Discovery||CHOPSTICK checks for anti-virus and forensics software.|
|Enterprise||T1071||Standard Application Layer Protocol||Various implementations of CHOPSTICK communicate with C2 over HTTP, SMTP, and POP3.|
|Enterprise||T1032||Standard Cryptographic Protocol||CHOPSTICK encrypts C2 communications with RC4 as well as TLS.|
|Enterprise||T1497||Virtualization/Sandbox Evasion||CHOPSTICK checks for virtualization software.|
Groups that use this software:APT28
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
- Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
- ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019.
- Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.