Register to stream ATT&CKcon 2.0 October 29-30

zwShell

zwShell is a remote access tool (RAT) written in Delphi that has been used by Night Dragon.[1]

ID: S0350
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface zwShell can launch command-line shells. [1]
Enterprise T1083 File and Directory Discovery zwShell can browse the file system. [1]
Enterprise T1107 File Deletion zwShell has deleted itself after creating a service as well as deleted a temporary file when the system reboots. [1]
Enterprise T1112 Modify Registry zwShell can modify the Registry. [1]
Enterprise T1050 New Service zwShell has established persistence by adding itself as a new service. [1]
Enterprise T1076 Remote Desktop Protocol zwShell has used RDP for lateral movement. [1]
Enterprise T1053 Scheduled Task zwShell has used SchTasks for execution. [1]
Enterprise T1082 System Information Discovery zwShell can obtain the victim PC name and OS version. [1]
Enterprise T1016 System Network Configuration Discovery zwShell can obtain the victim IP address. [1]
Enterprise T1033 System Owner/User Discovery zwShell can obtain the name of the logged-in user on the victim. [1]
Enterprise T1077 Windows Admin Shares zwShell has been copied over network shares to move laterally. [1]

Groups That Use This Software

ID Name References
G0014 Night Dragon [1]

References