Comnie is a remote backdoor which has been used in attacks in East Asia. [1]

ID: S0244
Platforms: Windows
Version: 1.1
Created: 17 October 2018
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Comnie uses the net user command.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Comnie uses HTTP for C2 communication.[1]

Enterprise T1119 Automated Collection

Comnie executes a batch script to store discovery information in %TEMP%\info.dat and then uploads the temporarily file to the remote C2 server.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Comnie achieves persistence by adding a shortcut of itself to the startup path in the Registry.[1]

.009 Boot or Logon Autostart Execution: Shortcut Modification

Comnie establishes persistence via a .lnk file in the victim’s startup path.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Comnie executes BAT scripts.[1]

.005 Command and Scripting Interpreter: Visual Basic

Comnie executes VBS scripts.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Comnie encrypts command and control communications with RC4.[1]

Enterprise T1027 Obfuscated Files or Information

Comnie uses RC4 and Base64 to obfuscate strings.[1]

.001 Binary Padding

Comnie appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk.[1]

Enterprise T1057 Process Discovery

Comnie uses the tasklist to view running processes on the victim’s machine.[1]

Enterprise T1018 Remote System Discovery

Comnie runs the net view command

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Comnie attempts to detect several anti-virus products.[1]

Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Comnie uses Rundll32 to load a malicious DLL.[1]

Enterprise T1082 System Information Discovery

Comnie collects the hostname of the victim machine.[1]

Enterprise T1016 System Network Configuration Discovery

Comnie uses ipconfig /all and route PRINT to identify network adapter and interface information.[1]

Enterprise T1049 System Network Connections Discovery

Comnie executes the netstat -ano command.[1]

Enterprise T1007 System Service Discovery

Comnie runs the command: net start >> %TEMP%\info.dat on a victim.[1]

Enterprise T1102 .002 Web Service: Bidirectional Communication

Comnie uses blogs and third-party sites (GitHub, tumbler, and BlogSpot) to avoid DNS-based blocking of their communication to the command and control server.[1]