SHOTPUT

SHOTPUT is a custom backdoor used by APT3. [1]

ID: S0063
Associated Software: Backdoor.APT.CookieCutter, Pirpi

Type: MALWARE
Platforms: Windows

Version: 1.0

Associated Software Descriptions

NameDescription
Backdoor.APT.CookieCutter[3]
Pirpi[3]

Techniques Used

DomainIDNameUse
EnterpriseT1087Account DiscoverySHOTPUT has a command to retrieve information about connected users.[2]
EnterpriseT1083File and Directory DiscoverySHOTPUT has a command to obtain a directory listing.[2]
EnterpriseT1027Obfuscated Files or InformationSHOTPUT is obscured using XOR encoding and appended to a valid GIF file.[1][2]
EnterpriseT1057Process DiscoverySHOTPUT has a command to obtain a process listing.[2]
EnterpriseT1018Remote System DiscoverySHOTPUT has a command to list all servers in the domain, as well as one to locate domain controllers on a domain.[2]
EnterpriseT1049System Network Connections DiscoverySHOTPUT uses netstat to list TCP connection status.[2]

Groups

Groups that use this software:

APT3

References