CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants.     It is tracked separately from the X-Agent for Android.
|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols||
Various implementations of CHOPSTICK communicate with C2 over HTTP.
|.003||Application Layer Protocol: Mail Protocols||
Various implementations of CHOPSTICK communicate with C2 over SMTP and POP3.
|Enterprise||T1059||Command and Scripting Interpreter||
CHOPSTICK is capable of performing remote command execution.
|Enterprise||T1092||Communication Through Removable Media||
Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines, using files written to USB sticks to transfer data and command traffic.
|Enterprise||T1568||.002||Dynamic Resolution: Domain Generation Algorithms||
CHOPSTICK can use a DGA for Fallback Channels, domains are generated by concatenating words from lists.
|Enterprise||T1573||.001||Encrypted Channel: Symmetric Cryptography|
|.002||Encrypted Channel: Asymmetric Cryptography|
CHOPSTICK can switch to a new C2 channel if the current one is broken.
|Enterprise||T1083||File and Directory Discovery||
An older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.
|Enterprise||T1105||Ingress Tool Transfer||
CHOPSTICK is capable of performing remote file transmission.
|Enterprise||T1056||.001||Input Capture: Keylogging|
CHOPSTICK may modify Registry keys to store RC4 encrypted configuration information.
|Enterprise||T1027||.011||Obfuscated Files or Information: Fileless Storage||
CHOPSTICK may store RC4 encrypted configuration information in the Windows Registry.
|Enterprise||T1090||.001||Proxy: Internal Proxy||
CHOPSTICK used a proxy server between victims and the C2 server.
CHOPSTICK provides access to the Windows Registry, which can be used to gather information.
|Enterprise||T1091||Replication Through Removable Media||
Part of APT28's operation involved using CHOPSTICK modules to copy itself to air-gapped machines and using files written to USB sticks to transfer data and command traffic.
|Enterprise||T1518||.001||Software Discovery: Security Software Discovery|
CHOPSTICK includes runtime checks to identify an analysis environment and prevent execution on it.