Comnie is a remote backdoor which has been used in attacks in East Asia. [1]

ID: S0244
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1087Account DiscoveryComnie uses the net user command.[1]
EnterpriseT1119Automated CollectionComnie executes a batch script to store discovery information in %TEMP%\info.dat and then uploads the temporarily file to the remote C2 server.[1]
EnterpriseT1009Binary PaddingComnie appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk.[1]
EnterpriseT1043Commonly Used PortComnie uses Port Numbers 80, 8080, 8000, and 443 for communication to the C2 servers.[1]
EnterpriseT1027Obfuscated Files or InformationComnie uses RC4 and Base64 to obfuscate strings.[1]
EnterpriseT1057Process DiscoveryComnie uses the tasklist to view running processes on the victim’s machine.[1]
EnterpriseT1060Registry Run Keys / Startup FolderComnie achieves persistence by adding a shortcut of itself to the startup path in the Registry.[1]
EnterpriseT1018Remote System DiscoveryComnie runs the net view command
EnterpriseT1085Rundll32Comnie uses Rundll32 to load a malicious DLL.[1]
EnterpriseT1064ScriptingComnie executes BAT and VBS scripts.[1]
EnterpriseT1063Security Software DiscoveryComnie attempts to detect several anti-virus products.[1]
EnterpriseT1023Shortcut ModificationComnie establishes persistence via a .lnk file in the victim’s startup path.[1]
EnterpriseT1071Standard Application Layer ProtocolComnie uses HTTP for C2 communication.[1]
EnterpriseT1032Standard Cryptographic ProtocolComnie encrypts command and control communications with RC4.[1]
EnterpriseT1082System Information DiscoveryComnie collects the hostname of the victim machine.[1]
EnterpriseT1016System Network Configuration DiscoveryComnie uses ipconfig /all and route PRINT to identify network adapter and interface information.[1]
EnterpriseT1049System Network Connections DiscoveryComnie executes the netstat -ano command.[1]
EnterpriseT1007System Service DiscoveryComnie runs the command: net start >> %TEMP%\info.dat on a victim.[1]
EnterpriseT1102Web ServiceComnie uses blogs and third-party sites (GitHub, tumbler, and BlogSpot) to avoid DNS-based blocking of their communication to the command and control server.[1]