zwShell

zwShell is a remote access tool (RAT) written in Delphi that has been used by Night Dragon.[1]

ID: S0350
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfacezwShell can launch command-line shells.[1]
EnterpriseT1083File and Directory DiscoveryzwShell can browse the file system.[1]
EnterpriseT1107File DeletionzwShell has deleted itself after creating a service as well as deleted a temporary file when the system reboots.[1]
EnterpriseT1112Modify RegistryzwShell can modify the Registry.[1]
EnterpriseT1050New ServicezwShell has established persistence by adding itself as a new service.[1]
EnterpriseT1076Remote Desktop ProtocolzwShell has used RDP for lateral movement.[1]
EnterpriseT1053Scheduled TaskzwShell has used SchTasks for execution.[1]
EnterpriseT1082System Information DiscoveryzwShell can obtain the victim PC name and OS version.[1]
EnterpriseT1016System Network Configuration DiscoveryzwShell can obtain the victim IP address.[1]
EnterpriseT1033System Owner/User DiscoveryzwShell can obtain the name of the logged-in user on the victim.[1]
EnterpriseT1077Windows Admin ShareszwShell has been copied over network shares to move laterally.[1]

Groups

Groups that use this software:

Night Dragon

References