Register to stream ATT&CKcon 2.0 October 29-30

CORALDECK

CORALDECK is an exfiltration tool used by APT37. [1]

ID: S0212
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1002 Data Compressed CORALDECK has created password-protected RAR, WinImage, and zip archives to be exfiltrated. [1]
Enterprise T1022 Data Encrypted CORALDECK has created password-protected RAR, WinImage, and zip archives to be exfiltrated. [1]
Enterprise T1083 File and Directory Discovery CORALDECK searches for specified files. [1]
Enterprise T1071 Standard Application Layer Protocol CORALDECK has exfiltrated data in HTTP POST headers. [1]

Groups That Use This Software

ID Name References
G0067 APT37 [1]

References