zwShell is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during Night Dragon.[1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
zwShell has established persistence by adding itself as a new service.[1] |
Enterprise | T1083 | File and Directory Discovery | ||
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
zwShell has deleted itself after creating a service as well as deleted a temporary file when the system reboots.[1] |
Enterprise | T1112 | Modify Registry | ||
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol | |
.002 | Remote Services: SMB/Windows Admin Shares |
zwShell has been copied over network shares to move laterally.[1] |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task | |
Enterprise | T1082 | System Information Discovery | ||
Enterprise | T1016 | System Network Configuration Discovery | ||
Enterprise | T1033 | System Owner/User Discovery |
zwShell can obtain the name of the logged-in user on the victim.[1] |
ID | Name | Description |
---|---|---|
C0002 | Night Dragon |
During Night Dragon, threat actors used zwShell to generate Trojan variants, control victim machines, and exfiltrate data.[1] |