CORALDECK is an exfiltration tool used by APT37. [1]

ID: S0212
Platforms: Windows
Version: 1.1
Created: 18 April 2018
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

CORALDECK has created password-protected RAR, WinImage, and zip archives to be exfiltrated.[1]

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

CORALDECK has exfiltrated data in HTTP POST headers.[1]

Enterprise T1083 File and Directory Discovery

CORALDECK searches for specified files.[1]

Groups That Use This Software

ID Name References
G0067 APT37