BLACKCOFFEE

BLACKCOFFEE is malware that has been used by several Chinese groups since at least 2013. [1] [2]

ID: S0069
Aliases: BLACKCOFFEE
Type: MALWARE
Platforms: Windows

Version: 1.0

Alias Descriptions

NameDescription
BLACKCOFFEE[1] [2]

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceBLACKCOFFEE has the capability to create a reverse shell.[1]
EnterpriseT1083File and Directory DiscoveryBLACKCOFFEE has the capability to enumerate files.[1]
EnterpriseT1107File DeletionBLACKCOFFEE has the capability to delete files.[1]
EnterpriseT1104Multi-Stage ChannelsBLACKCOFFEE uses Microsoft’s TechNet Web portal to obtain an encoded tag containing the IP address of a command and control server and then communicates separately with that IP address for C2. If the C2 server is discovered or shut down, the threat actors can update the encoded IP address on TechNet to maintain control of the victims’ machines.[1]
EnterpriseT1057Process DiscoveryBLACKCOFFEE has the capability to discover processes.[1]
EnterpriseT1102Web ServiceBLACKCOFFEE uses Microsoft’s TechNet Web portal to obtain a dead drop resolver containing an encoded tag with the IP address of a command and control server. It has also obfuscated its C2 traffic as normal traffic to sites such as Github.[1][2]

Groups

Groups that use this software:

APT17
Leviathan

References