CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.[1] [2]

ID: S0137
Associated Software: Sofacy, SOURFACE

Platforms: Windows

Version: 2.0

Associated Software Descriptions

SofacyThis designation has been used in reporting both to refer to the threat group (APT28) and its associated malware.[1] [2][4]
SOURFACE[1] [2][4]

Techniques Used

EnterpriseT1009Binary PaddingCORESHELL contains unused machine instructions in a likely attempt to hinder analysis.[1]
EnterpriseT1024Custom Cryptographic ProtocolCORESHELL C2 messages are encrypted with custom stream ciphers using six-byte or eight-byte keys.[1]
EnterpriseT1132Data EncodingCORESHELL C2 messages are Base64-encoded.[1]
EnterpriseT1027Obfuscated Files or InformationCORESHELL obfuscates strings using a custom stream cipher.[1]
EnterpriseT1060Registry Run Keys / Startup FolderCORESHELL has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder.[3]
EnterpriseT1105Remote File CopyCORESHELL downloads another dropper from its C2 server.[1]
EnterpriseT1085Rundll32CORESHELL is installed via execution of rundll32 with an export named "init" or "InitW."[3]
EnterpriseT1071Standard Application Layer ProtocolCORESHELL can communicate over HTTP, SMTP, and POP3 for C2.[1][3]
EnterpriseT1082System Information DiscoveryCORESHELL collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server.[1]


Groups that use this software: