1. Home
  2. Software
  3. SHOTPUT

SHOTPUT

SHOTPUT is a custom backdoor used by APT3. [1]

ID: S0063
Associated Software: Backdoor.APT.CookieCutter, Pirpi
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020
Version Permalink

Associated Software Descriptions

Name Description
Backdoor.APT.CookieCutter

[2]
Pirpi

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

SHOTPUT has a command to retrieve information about connected users.[3]
Enterprise T1083 File and Directory Discovery

SHOTPUT has a command to obtain a directory listing.[3]
Enterprise T1027 Obfuscated Files or Information

SHOTPUT is obscured using XOR encoding and appended to a valid GIF file.[1][3]
Enterprise T1057 Process Discovery

SHOTPUT has a command to obtain a process listing.[3]
Enterprise T1018 Remote System Discovery

SHOTPUT has a command to list all servers in the domain, as well as one to locate domain controllers on a domain.[3]
Enterprise T1049 System Network Connections Discovery

SHOTPUT uses netstat to list TCP connection status.[3]

Groups That Use This Software

ID Name References
G0022 APT3

[1]

References

  1. Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
  2. Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.
  1. Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016.