JUST RELEASED: ATT&CK for Industrial Control Systems

SOFTWARE

Android/Chuli.A

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Olympic Destroyer

OSX_OCEANLOTUS.D

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

X-Agent for Android

SOFTWARE

1-9

A-B

Android/Chuli.A

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

E-F

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

S-T

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

X-Agent for Android

Y-Z

NETEAGLE

NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.” ^[1]

ID: S0034

Type: MALWARE

Platforms: Windows

Version: 1.0

Created: 31 May 2017

Last Modified: 17 October 2018

Techniques Used

Domain	ID	Name	Use
Enterprise	T1059	Command-Line Interface	NETEAGLE allows adversaries to execute shell commands on the infected host.^[1]
Enterprise	T1094	Custom Command and Control Protocol	If NETEAGLE does not detect a proxy configured on the infected machine, it will send beacons via UDP/6000. Also, after retrieving a C2 IP address and Port Number, NETEAGLE will initiate a TCP connection to this socket. The ensuing connection is a plaintext C2 channel in which commands are specified by DWORDs.^[1]
Enterprise	T1041	Exfiltration Over Command and Control Channel	NETEAGLE is capable of reading files over the C2 channel.^[1]
Enterprise	T1008	Fallback Channels	NETEAGLE will attempt to detect if the infected host is configured to a proxy. If so, NETEAGLE will send beacons via an HTTP POST request; otherwise it will send beacons via UDP/6000.^[1]
Enterprise	T1083	File and Directory Discovery	NETEAGLE allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information.^[1]
Enterprise	T1057	Process Discovery	NETEAGLE can send process listings over the C2 channel.^[1]
Enterprise	T1060	Registry Run Keys / Startup Folder	The "SCOUT" variant of NETEAGLE achieves persistence by adding itself to the `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run` Registry key.^[1]
Enterprise	T1071	Standard Application Layer Protocol	NETEAGLE will attempt to detect if the infected host is configured to a proxy. If so, NETEAGLE will send beacons via an HTTP POST request; otherwise it will send beacons via UDP/6000. NETEAGLE will also use HTTP to download resources that contain an IP address and Port Number pair to connect to for further C2. Adversaries can also use NETEAGLE to establish an RDP connection with a controller over TCP/7519.^[1]
Enterprise	T1032	Standard Cryptographic Protocol	NETEAGLE will decrypt resources it downloads with HTTP requests by using RC4 with the key "ScoutEagle."^[1]
Enterprise	T1095	Standard Non-Application Layer Protocol	If NETEAGLE does not detect a proxy configured on the infected machine, it will send beacons via UDP/6000. Also, after retrieving a C2 IP address and Port Number, NETEAGLE will initiate a TCP connection to this socket. The ensuing connection is a plaintext C2 channel in which commands are specified by DWORDs.^[1]

Groups That Use This Software

ID	Name	References
G0013	APT30	^[1]

References

FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.