T9000 is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. [1] [2]

ID: S0098
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1103AppInit DLLsIf a victim meets certain criteria, T9000 uses the AppInit_DLL functionality to achieve persistence by ensuring that every user mode process that is spawned will load its malicious DLL, ResN32.dll. It does this by creating the following Registry keys: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs – %APPDATA%\Intel\ResN32.dll and HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs – 0x1.[2]
EnterpriseT1123Audio CaptureT9000 uses the Skype API to record audio and video calls. It writes encrypted data to %APPDATA%\Intel\Skype.[2]
EnterpriseT1119Automated CollectionT9000 searches removable storage devices for files with a pre-defined list of file extensions (e.g. * .doc, *.ppt, *.xls, *.docx, *.pptx, *.xlsx). Any matching files are encrypted and written to a local user directory.[2]
EnterpriseT1022Data EncryptedT9000 encrypts collected data using a single byte XOR key.[2]
EnterpriseT1073DLL Side-LoadingDuring the T9000 installation process, it drops a copy of the legitimate Microsoft binary igfxtray.exe. The executable contains a side-loading weakness which is used to load a portion of the malware.[2]
EnterpriseT1120Peripheral Device DiscoveryT9000 searches through connected drives for removable storage devices.[2]
EnterpriseT1113Screen CaptureT9000 can take screenshots of the desktop and target application windows, saving them to user directories as one byte XOR encrypted .dat files.[2]
EnterpriseT1063Security Software DiscoveryT9000 performs checks for various antivirus and security products during installation.[2]
EnterpriseT1082System Information DiscoveryT9000 gathers and beacons the operating system build number and CPU Architecture (32-bit/64-bit) during installation.[2]
EnterpriseT1016System Network Configuration DiscoveryT9000 gathers and beacons the MAC and IP addresses during installation.[2]
EnterpriseT1033System Owner/User DiscoveryT9000 gathers and beacons the username of the logged in account during installation. It will also gather the username of running processes to determine if it is running as SYSTEM.[2]
EnterpriseT1124System Time DiscoveryT9000 gathers and beacons the system time during installation.[2]
EnterpriseT1125Video CaptureT9000 uses the Skype API to record audio and video calls. It writes encrypted data to %APPDATA%\Intel\Skype.[2]