Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

SslMM

SslMM is a full-featured backdoor used by Naikon that has multiple variants. [1]

ID: S0058
Aliases: SslMM
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1134Access Token ManipulationSslMM contains a feature to manipulate process privileges and tokens.[1]
EnterpriseT1089Disabling Security ToolsSslMM identifies and kills anti-malware processes.[1]
EnterpriseT1008Fallback ChannelsSslMM has a hard-coded primary and backup C2 string.[1]
EnterpriseT1056Input CaptureSslMM creates a new thread implementing a keylogging facility using Windows Keyboard Accelerators.[1]
EnterpriseT1036MasqueradingTo establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.[1]
EnterpriseT1060Registry Run Keys / Startup FolderTo establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.[1]
EnterpriseT1023Shortcut ModificationTo establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.[1]
EnterpriseT1082System Information DiscoverySslMM sends information to its hard-coded C2, including OS version, service pack information, processor speed, system name, and OS install date.[1]
EnterpriseT1033System Owner/User DiscoverySslMM sends the logged-on username to its hard-coded C2.[1]

Groups

Groups that use this software:

Naikon

References