Backdoor.Oldrea is a backdoor used by Dragonfly. It appears to be custom malware authored by the group or specifically for it. [1]

ID: S0093
Associated Software: Havex
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1087 .003 Account Discovery: Email Account

Backdoor.Oldrea collects address book information from Outlook.[1]

Enterprise T1560 Archive Collected Data

Backdoor.Oldrea writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Backdoor.Oldrea adds Registry Run keys to achieve persistence.[1]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Some Backdoor.Oldrea samples contain a publicly available Web browser password recovery tool.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Some Backdoor.Oldrea samples use standard Base64 + bzip2, and some use standard Base64 + reverse XOR + RSA-2048 to decrypt data received from C2 servers.[1]

Enterprise T1083 File and Directory Discovery

Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Backdoor.Oldrea contains a cleanup module that removes traces of itself from the victim.[1]

Enterprise T1057 Process Discovery

Backdoor.Oldrea collects information about running processes.[1]

Enterprise T1055 Process Injection

Backdoor.Oldrea injects itself into explorer.exe.[1]

Enterprise T1082 System Information Discovery

Backdoor.Oldrea collects information about the OS and computer name.[1]

Enterprise T1016 System Network Configuration Discovery

Backdoor.Oldrea collects information about the Internet adapter configuration.[1]

Enterprise T1033 System Owner/User Discovery

Backdoor.Oldrea collects the current username from the victim.[1]

Groups That Use This Software

ID Name References
G0035 Dragonfly