1. Home
  2. Software
  3. WEBC2

WEBC2

WEBC2 is a family of backdoor malware used by APT1 as early as July 2006. WEBC2 backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. [1][2]

ID: S0109
Type: MALWARE
Platforms: Windows
Contributors: Wes Hurd
Version: 2.0
Created: 31 May 2017
Last Modified: 25 August 2020
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

WEBC2 can open an interactive command shell.[2]
Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Variants of WEBC2 achieve persistence by using DLL search order hijacking, usually by copying the DLL file to %SYSTEMROOT% (C:\WINDOWS\ntshrui.dll).[1]
Enterprise T1105 Ingress Tool Transfer

WEBC2 can download and execute a file.[2]

Groups That Use This Software

ID Name References
G0006 APT1

[2]

References

  1. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  1. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.