Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

TDTESS

TDTESS is a 64-bit .NET binary backdoor used by CopyKittens. [1]

ID: S0164
Aliases: TDTESS
Type: MALWARE
Platforms: Windows

Version: 1.0

Alias Descriptions

NameDescription
TDTESS[1]

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceTDTESS provides a reverse shell on the victim.[1]
EnterpriseT1107File DeletionTDTESS creates then deletes log files during installation of itself as a service.[1]
EnterpriseT1050New ServiceIf running as administrator, TDTESS installs itself as a new service named bmwappushservice to establish persistence.[1]
EnterpriseT1105Remote File CopyTDTESS has a command to download and execute an additional file.[1]
EnterpriseT1099TimestompAfter creating a new service for persistence, TDTESS sets the file creation time for the service to the creation time of the victim's legitimate svchost.exe file.[1]

Groups

Groups that use this software:

CopyKittens

References