Briba is a trojan used by Elderwood to open a backdoor and download files on to compromised hosts. [1] [2]

ID: S0204
Platforms: Windows
Version: 1.0
Created: 18 April 2018
Last Modified: 09 February 2021

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Briba creates run key Registry entries pointing to malicious DLLs dropped to disk.[2]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Briba installs a service pointing to a malicious DLL dropped to disk.[2]

Enterprise T1105 Ingress Tool Transfer

Briba downloads files onto infected hosts.[2]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Briba uses rundll32 within Registry Run Keys / Startup Folder entries to execute malicious DLLs.[2]

Groups That Use This Software

ID Name References
G0066 Elderwood