ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. [1] [2]

ID: S0045
Associated Software: AZZY, EVILTOSS, NETUI, Sedreco

Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1059Command-Line InterfaceADVSTORESHELL can create a remote shell and run a given command.[2][3]
EnterpriseT1043Commonly Used PortA variant of ADVSTORESHELL attempts communication to the C2 server over HTTP on port 443.[3]
EnterpriseT1122Component Object Model HijackingSome variants of ADVSTORESHELL achieve persistence by registering the payload as a Shell Icon Overlay handler COM object.[2]
EnterpriseT1002Data CompressedADVSTORESHELL compresses output data generated by command execution with a custom implementation of the Lempel–Ziv–Welch (LZW) algorithm.[2]
EnterpriseT1132Data EncodingC2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding.[1]
EnterpriseT1022Data EncryptedADVSTORESHELL encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration.[2]
EnterpriseT1074Data StagedADVSTORESHELL stores output from command execution in a .dat file in the %TEMP% directory.[2]
EnterpriseT1106Execution through APIADVSTORESHELL is capable of starting a process using CreateProcess.[3]
EnterpriseT1041Exfiltration Over Command and Control ChannelADVSTORESHELL exfiltrates data over the same channel used for C2.[2]
EnterpriseT1083File and Directory DiscoveryADVSTORESHELL can list files and directories.[2][3]
EnterpriseT1107File DeletionADVSTORESHELL can delete files and directories.[2]
EnterpriseT1056Input CaptureADVSTORESHELL can perform keylogging.[2][3]
EnterpriseT1112Modify RegistryADVSTORESHELL is capable of setting and deleting Registry values.[3]
EnterpriseT1027Obfuscated Files or InformationMost of the strings in ADVSTORESHELL are encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed. API function names are also reversed, presumably to avoid detection in memory.[1][3]
EnterpriseT1120Peripheral Device DiscoveryADVSTORESHELL can list connected devices.[2]
EnterpriseT1057Process DiscoveryADVSTORESHELL can list running processes.[2]
EnterpriseT1012Query RegistryADVSTORESHELL can enumerate registry keys.[2][3]
EnterpriseT1060Registry Run Keys / Startup FolderADVSTORESHELL achieves persistence by adding itself to the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Registry key.[1][2][3]
EnterpriseT1085Rundll32ADVSTORESHELL has used rundll32.exe in a Registry value to establish persistence.[3]
EnterpriseT1029Scheduled TransferADVSTORESHELL collects, compresses, encrypts, and exfiltrates data to the C2 server every 10 minutes.[2]
EnterpriseT1071Standard Application Layer ProtocolADVSTORESHELL connects to port 80 of a C2 server using Wininet API.[1]
EnterpriseT1032Standard Cryptographic ProtocolA variant of ADVSTORESHELL encrypts some C2 with 3DES and RSA.[3]
EnterpriseT1082System Information DiscoveryADVSTORESHELL can run Systeminfo to gather information about the victim.[2][3]


Groups that use this software: