TDTESS is a 64-bit .NET binary backdoor used by CopyKittens. [1]

ID: S0164
Platforms: Windows
Version: 1.1
Created: 16 January 2018
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

TDTESS provides a reverse shell on the victim.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

If running as administrator, TDTESS installs itself as a new service named bmwappushservice to establish persistence.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

TDTESS creates then deletes log files during installation of itself as a service.[1]

.006 Indicator Removal: Timestomp

After creating a new service for persistence, TDTESS sets the file creation time for the service to the creation time of the victim's legitimate svchost.exe file.[1]

Enterprise T1105 Ingress Tool Transfer

TDTESS has a command to download and execute an additional file.[1]

Groups That Use This Software

ID Name References
G0052 CopyKittens