Exaramel

Exaramel is multi-platform backdoor for Linux and Windows systems.[1]

ID: S0343
Type: MALWARE
Platforms: Linux, Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceExaramel has a command to launch a remote shell and executes commands on the victim’s machine.[1]
EnterpriseT1168Local Job SchedulingExaramel uses crontab for persistence.[1]
EnterpriseT1036MasqueradingThe Exaramel dropper creates and starts a Windows service named wsmprovav with the description “Windows Check AV” in an apparent attempt to masquerade as a legitimate service.[1]
EnterpriseT1112Modify RegistryExaramel adds the configuration to the Registry in XML format.[1]
EnterpriseT1050New ServiceThe Exaramel dropper creates and starts a Windows service named wsmprovav with the description “Windows Check AV”.[1]
EnterpriseT1027Obfuscated Files or InformationExaramel uses RC4 for encrypting the configuration.[1]
EnterpriseT1105Remote File CopyExaramel has a command to download a file from a remote server to execute.[1]
EnterpriseT1064ScriptingExaramel has a command to execute VBS and GO scripts on the victim’s machine.[1]
EnterpriseT1063Security Software DiscoveryExaramel checks for anti-virus software installed on the victim’s machine.[1]
EnterpriseT1071Standard Application Layer ProtocolExaramel uses HTTPS for C2 communications.[1]

References