SOFTWARE
Arp
at
cmd
Dok
FTP
Net
Orz
Reg
RTM
Tor
yty
SOFTWARE
1-9
A-B
Arp
at
C-D
cmd
Dok
E-F
FTP
G-H
I-J
K-L
M-N
Net
O-P
Orz
Q-R
Reg
RTM
S-T
Tor
U-V
W-X
Y-Z
yty
  1. Home
  2. Software
  3. zwShell

zwShell

zwShell is a remote access tool (RAT) written in Delphi that has been used by Night Dragon.[1]

ID: S0350
Type: MALWARE
Platforms: Windows
Version: 1.0
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

zwShell can launch command-line shells.[1]
Enterprise T1083 File and Directory Discovery

zwShell can browse the file system.[1]
Enterprise T1107 File Deletion

zwShell has deleted itself after creating a service as well as deleted a temporary file when the system reboots.[1]
Enterprise T1112 Modify Registry

zwShell can modify the Registry.[1]
Enterprise T1050 New Service

zwShell has established persistence by adding itself as a new service.[1]
Enterprise T1076 Remote Desktop Protocol

zwShell has used RDP for lateral movement.[1]
Enterprise T1053 Scheduled Task

zwShell has used SchTasks for execution.[1]
Enterprise T1082 System Information Discovery

zwShell can obtain the victim PC name and OS version.[1]
Enterprise T1016 System Network Configuration Discovery

zwShell can obtain the victim IP address.[1]
Enterprise T1033 System Owner/User Discovery

zwShell can obtain the name of the logged-in user on the victim.[1]
Enterprise T1077 Windows Admin Shares

zwShell has been copied over network shares to move laterally.[1]

Groups That Use This Software

ID Name References
G0014 Night Dragon [1]

References

  1. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.