Backdoor.Oldrea

Backdoor.Oldrea is a modular backdoor that used by Dragonfly against energy companies since at least 2013. Backdoor.Oldrea was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.[1][2][3]

ID: S0093
Associated Software: Havex
Type: MALWARE
Platforms: Windows
Version: 2.0
Created: 31 May 2017
Last Modified: 12 October 2022

Techniques Used

Domain ID Name Use
Enterprise T1087 .003 Account Discovery: Email Account

Backdoor.Oldrea collects address book information from Outlook.[1]

Enterprise T1560 Archive Collected Data

Backdoor.Oldrea writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Backdoor.Oldrea adds Registry Run keys to achieve persistence.[1][2]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Some Backdoor.Oldrea samples contain a publicly available Web browser password recovery tool.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Some Backdoor.Oldrea samples use standard Base64 + bzip2, and some use standard Base64 + reverse XOR + RSA-2048 to decrypt data received from C2 servers.[1]

Enterprise T1083 File and Directory Discovery

Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

Backdoor.Oldrea contains a cleanup module that removes traces of itself from the victim.[1]

Enterprise T1105 Ingress Tool Transfer

Backdoor.Oldrea can download additional modules from C2.[2]

Enterprise T1046 Network Service Discovery

Backdoor.Oldrea can use a network scanning module to identify ICS-related ports.[2]

Enterprise T1057 Process Discovery

Backdoor.Oldrea collects information about running processes.[1]

Enterprise T1055 Process Injection

Backdoor.Oldrea injects itself into explorer.exe.[1][2]

Enterprise T1018 Remote System Discovery

Backdoor.Oldrea can enumerate and map ICS-specific systems in victim environments.[2]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Backdoor.Oldrea can use rundll32 for execution on compromised hosts.[2]

Enterprise T1082 System Information Discovery

Backdoor.Oldrea collects information about the OS and computer name.[1][2]

Enterprise T1016 System Network Configuration Discovery

Backdoor.Oldrea collects information about the Internet adapter configuration.[1][2]

Enterprise T1033 System Owner/User Discovery

Backdoor.Oldrea collects the current username from the victim.[1]

ICS T0802 Automated Collection

Using OPC, a component of Backdoor.Oldrea gathers any details about connected devices and sends them back to the C2 for the attackers to analyze. [4]

ICS T0814 Denial of Service

The Backdoor.Oldrea payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications. [5]

ICS T0861 Point & Tag Identification

The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices. [5] [4]

ICS T0846 Remote System Discovery

The Backdoor.Oldrea ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network. [6]

ICS T0888 Remote System Information Discovery

The Backdoor.Oldrea payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process. [5] [4]

ICS T0865 Spearphishing Attachment

The Backdoor.Oldrea RAT is distributed through a trojanized installer attached to emails. [4]

ICS T0862 Supply Chain Compromise

The Backdoor.Oldrea RAT is distributed through trojanized installers planted on compromised vendor sites. [4]

ICS T0863 User Execution

Execution of Backdoor.Oldrea relies on a user opening a trojanized installer attached to an email. [4] [7]

Groups That Use This Software

ID Name References
G0035 Dragonfly

[1][2]

References