Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Reaver

Reaver is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the "Five Poisons," which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of Control Panel Items. [1]

ID: S0172
Aliases: Reaver
Type: MALWARE
Platforms: Windows

Version: 1.0

Alias Descriptions

NameDescription
Reaver[1]

Techniques Used

DomainIDNameUse
EnterpriseT1196Control Panel ItemsReaver drops and executes a malicious CPL file as its payload.[1]
EnterpriseT1094Custom Command and Control ProtocolSome Reaver variants use raw TCP for C2.[1]
EnterpriseT1022Data EncryptedReaver encrypts collected data with an incremental XOR key prior to exfiltration.[1]
EnterpriseT1107File DeletionReaver deletes the original dropped file from the victim.[1]
EnterpriseT1050New ServiceReaver installs itself as a new service.[1]
EnterpriseT1027Obfuscated Files or InformationReaver encrypts some of its files with XOR.[1]
EnterpriseT1012Query RegistryReaver queries the Registry to determine the correct Startup path to use for persistence.[1]
EnterpriseT1060Registry Run Keys / Startup FolderReaver creates a shortcut file and saves it in a Startup folder to establish persistence.[1]
EnterpriseT1023Shortcut ModificationReaver creates a shortcut file and saves it in a Startup folder to establish persistence.[1]
EnterpriseT1071Standard Application Layer ProtocolSome Reaver variants use HTTP for C2.[1]
EnterpriseT1095Standard Non-Application Layer ProtocolSome Reaver variants use raw TCP for C2.[1]
EnterpriseT1082System Information DiscoveryReaver collects system information from the victim, including CPU speed, computer name, volume serial number, ANSI code page, OEM code page identifier for the OS, Microsoft Windows version, and memory information.[1]
EnterpriseT1016System Network Configuration DiscoveryReaver collects the victim's IP address.[1]
EnterpriseT1033System Owner/User DiscoveryReaver collects the victim's username.[1]

References