Register to stream ATT&CKcon 2.0 October 29-30

Exaramel

Exaramel is multi-platform backdoor for Linux and Windows systems.[1]

ID: S0343
Type: MALWARE
Platforms: Linux, Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface Exaramel has a command to launch a remote shell and executes commands on the victim’s machine. [1]
Enterprise T1168 Local Job Scheduling Exaramel uses crontab for persistence. [1]
Enterprise T1036 Masquerading The Exaramel dropper creates and starts a Windows service named wsmprovav with the description “Windows Check AV” in an apparent attempt to masquerade as a legitimate service. [1]
Enterprise T1112 Modify Registry Exaramel adds the configuration to the Registry in XML format. [1]
Enterprise T1050 New Service The Exaramel dropper creates and starts a Windows service named wsmprovav with the description “Windows Check AV”. [1]
Enterprise T1027 Obfuscated Files or Information Exaramel uses RC4 for encrypting the configuration. [1]
Enterprise T1105 Remote File Copy Exaramel has a command to download a file from a remote server to execute. [1]
Enterprise T1064 Scripting Exaramel has a command to execute VBS and GO scripts on the victim’s machine. [1]
Enterprise T1063 Security Software Discovery Exaramel checks for anti-virus software installed on the victim’s machine. [1]
Enterprise T1071 Standard Application Layer Protocol Exaramel uses HTTPS for C2 communications. [1]

References