NETEAGLE

NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.” [1]

ID: S0034
Aliases: NETEAGLE
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceNETEAGLE allows adversaries to execute shell commands on the infected host.[1]
EnterpriseT1094Custom Command and Control ProtocolIf NETEAGLE does not detect a proxy configured on the infected machine, it will send beacons via UDP/6000. Also, after retrieving a C2 IP address and Port Number, NETEAGLE will initiate a TCP connection to this socket. The ensuing connection is a plaintext C2 channel in which commands are specified by DWORDs.[1]
EnterpriseT1041Exfiltration Over Command and Control ChannelNETEAGLE is capable of reading files over the C2 channel.[1]
EnterpriseT1008Fallback ChannelsNETEAGLE will attempt to detect if the infected host is configured to a proxy. If so, NETEAGLE will send beacons via an HTTP POST request; otherwise it will send beacons via UDP/6000.[1]
EnterpriseT1083File and Directory DiscoveryNETEAGLE allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information.[1]
EnterpriseT1057Process DiscoveryNETEAGLE can send process listings over the C2 channel.[1]
EnterpriseT1060Registry Run Keys / Startup FolderThe "SCOUT" variant of NETEAGLE achieves persistence by adding itself to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key.[1]
EnterpriseT1071Standard Application Layer ProtocolNETEAGLE will attempt to detect if the infected host is configured to a proxy. If so, NETEAGLE will send beacons via an HTTP POST request; otherwise it will send beacons via UDP/6000. NETEAGLE will also use HTTP to download resources that contain an IP address and Port Number pair to connect to for further C2. Adversaries can also use NETEAGLE to establish an RDP connection with a controller over TCP/7519.[1]
EnterpriseT1032Standard Cryptographic ProtocolNETEAGLE will decrypt resources it downloads with HTTP requests by using RC4 with the key "ScoutEagle."[1]
EnterpriseT1095Standard Non-Application Layer ProtocolIf NETEAGLE does not detect a proxy configured on the infected machine, it will send beacons via UDP/6000. Also, after retrieving a C2 IP address and Port Number, NETEAGLE will initiate a TCP connection to this socket. The ensuing connection is a plaintext C2 channel in which commands are specified by DWORDs.[1]

Groups

Groups that use this software:

APT30

References