CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL. It has also been referred to as Sofacy, though that term has been used widely to refer to both the group APT28 and malware families associated with the group. [1] [2]

ID: S0137
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1009Binary PaddingCORESHELL contains unused machine instructions in a likely attempt to hinder analysis.[1]
EnterpriseT1024Custom Cryptographic ProtocolCORESHELL C2 messages are encrypted with custom stream ciphers using six-byte or eight-byte keys.[1]
EnterpriseT1132Data EncodingCORESHELL C2 messages are Base64-encoded.[1]
EnterpriseT1027Obfuscated Files or InformationCORESHELL obfuscates strings using a custom stream cipher.[1]
EnterpriseT1060Registry Run Keys / Startup FolderCORESHELL has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder.[3]
EnterpriseT1105Remote File CopyCORESHELL downloads another dropper from its C2 server.[1]
EnterpriseT1085Rundll32CORESHELL is installed via execution of rundll32 with an export named "init" or "InitW."[3]
EnterpriseT1071Standard Application Layer ProtocolCORESHELL can communicate over HTTP, SMTP, and POP3 for C2.[1][3]
EnterpriseT1082System Information DiscoveryCORESHELL collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server.[1]


Groups that use this software: