Backdoor.Oldrea

Backdoor.Oldrea is a backdoor used by Dragonfly. It appears to be custom malware authored by the group or specifically for it. [1]

ID: S0093
Aliases: Backdoor.Oldrea, Havex
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1003Credential DumpingSome Backdoor.Oldrea samples contain a publicly available Web browser password recovery tool.[1]
EnterpriseT1022Data EncryptedBackdoor.Oldrea writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server.[1]
EnterpriseT1001Data ObfuscationSome Backdoor.Oldrea samples use standard Base64 + bzip2, and some use standard Base64 + reverse XOR + RSA-2048 to decrypt data received from C2 servers.[1]
EnterpriseT1114Email CollectionBackdoor.Oldrea collects address book information from Outlook.[1]
EnterpriseT1083File and Directory DiscoveryBackdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.[1]
EnterpriseT1107File DeletionBackdoor.Oldrea contains a cleanup module that removes traces of itself from the victim.[1]
EnterpriseT1057Process DiscoveryBackdoor.Oldrea collects information about running processes.[1]
EnterpriseT1055Process InjectionBackdoor.Oldrea injects itself into explorer.exe.[1]
EnterpriseT1060Registry Run Keys / Startup FolderBackdoor.Oldrea adds Registry Run keys to achieve persistence.[1]
EnterpriseT1082System Information DiscoveryBackdoor.Oldrea collects information about the OS and computer name.[1]
EnterpriseT1016System Network Configuration DiscoveryBackdoor.Oldrea collects information about the Internet adapter configuration.[1]
EnterpriseT1033System Owner/User DiscoveryBackdoor.Oldrea collects the current username from the victim.[1]

Groups

Groups that use this software:

Dragonfly

References