T9000 is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations.  
|Enterprise||T1560||.003||Archive Collected Data: Archive via Custom Method|
T9000 searches removable storage devices for files with a pre-defined list of file extensions (e.g. * .doc, .ppt, .xls, .docx, .pptx, *.xlsx). Any matching files are encrypted and written to a local user directory.
|Enterprise||T1546||.010||Event Triggered Execution: AppInit DLLs||
If a victim meets certain criteria, T9000 uses the AppInit_DLL functionality to achieve persistence by ensuring that every user mode process that is spawned will load its malicious DLL, ResN32.dll. It does this by creating the following Registry keys:
|Enterprise||T1574||.002||Hijack Execution Flow: DLL Side-Loading||
During the T9000 installation process, it drops a copy of the legitimate Microsoft binary igfxtray.exe. The executable contains a side-loading weakness which is used to load a portion of the malware.
|Enterprise||T1120||Peripheral Device Discovery|
|Enterprise||T1518||.001||Software Discovery: Security Software Discovery|
|Enterprise||T1082||System Information Discovery|
|Enterprise||T1016||System Network Configuration Discovery|
|Enterprise||T1033||System Owner/User Discovery|
|Enterprise||T1124||System Time Discovery|