BACKSPACE

BACKSPACE is a backdoor used by APT30 that dates back to at least 2005. [1]

ID: S0031
Aliases: BACKSPACE, Lecna
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceAdversaries can direct BACKSPACE to execute from the command-line on infected hosts, or have BACKSPACE create a reverse shell.[1]
EnterpriseT1090Connection ProxyThe "ZJ" variant of BACKSPACE allows "ZJ link" infections with Internet access to relay traffic from "ZJ listen" to a command server.[1]
EnterpriseT1001Data ObfuscationNewer variants of BACKSPACE will encode C2 communications with a custom system.[1]
EnterpriseT1089Disabling Security ToolsThe "ZR" variant of BACKSPACE will check to see if known host-based firewalls are installed on the infected systems. BACKSPACE will attempt to establish a C2 channel, then will examine open windows to identify a pop-up from the firewall software and will simulate a mouse-click to allow the connection to proceed.[1]
EnterpriseT1041Exfiltration Over Command and Control ChannelAdversaries can direct BACKSPACE to upload files to the C2 Server.[1]
EnterpriseT1083File and Directory DiscoveryBACKSPACE allows adversaries to search for files.[1]
EnterpriseT1112Modify RegistryBACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system.[1]
EnterpriseT1104Multi-Stage ChannelsBACKSPACE attempts to avoid detection by checking a first stage command and control server to determine if it should connect to the second stage server, which performs "louder" interactions with the malware.[1]
EnterpriseT1057Process DiscoveryBACKSPACE may collect information about running processes.[1]
EnterpriseT1012Query RegistryBACKSPACE is capable of enumerating and making modifications to an infected system's Registry.[1]
EnterpriseT1060Registry Run Keys / Startup FolderBACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.[1]
EnterpriseT1023Shortcut ModificationBACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.[1]
EnterpriseT1071Standard Application Layer ProtocolBACKSPACE uses HTTP as a transport to communicate with its command server.[1]
EnterpriseT1082System Information DiscoveryDuring its initial execution, BACKSPACE extracts operating system information from the infected host.[1]

Groups

Groups that use this software:

APT30

References