CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants.     It is tracked separately from the X-Agent for Android.
Associated Software Descriptions
|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols|
|.003||Application Layer Protocol: Mail Protocols|
|Enterprise||T1059||Command and Scripting Interpreter|
|Enterprise||T1092||Communication Through Removable Media|
|Enterprise||T1568||.002||Dynamic Resolution: Domain Generation Algorithms|
|Enterprise||T1573||.001||Encrypted Channel: Symmetric Cryptography|
|.002||Encrypted Channel: Asymmetric Cryptography|
|Enterprise||T1083||File and Directory Discovery|
|Enterprise||T1105||Ingress Tool Transfer|
|Enterprise||T1056||.001||Input Capture: Keylogging|
|Enterprise||T1090||.001||Proxy: Internal Proxy|
|Enterprise||T1091||Replication Through Removable Media|
|Enterprise||T1518||.001||Software Discovery: Security Software Discovery|
Groups That Use This Software
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.
- Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
- Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
- ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019.
- Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
- Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.