SOFTWARE
Arp
at
cmd
Dok
FTP
Net
Orz
Reg
RTM
Tor
yty
SOFTWARE
1-9
A-B
Arp
at
C-D
cmd
Dok
E-F
FTP
G-H
I-J
K-L
M-N
Net
O-P
Orz
Q-R
Reg
RTM
S-T
Tor
U-V
W-X
Y-Z
yty
  1. Home
  2. Software
  3. WEBC2

WEBC2

WEBC2 is a backdoor used by APT1 to retrieve a Web page from a predetermined C2 server. [1][2]

ID: S0109
Type: MALWARE
Platforms: Windows
Version: 1.1
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

WEBC2 can open an interactive command shell.[2]
Enterprise T1038 DLL Search Order Hijacking

Variants of WEBC2 achieve persistence by using DLL search order hijacking, usually by copying the DLL file to %SYSTEMROOT% (C:\WINDOWS\ntshrui.dll).[1]
Enterprise T1105 Remote File Copy

WEBC2 can download and execute a file.[2]

Groups That Use This Software

ID Name References
G0006 APT1 [2]

References

  1. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  1. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.