zwShell is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during Night Dragon.^[1]

ID: S0350

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 2.0

Created: 30 January 2019

Last Modified: 22 September 2022

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	zwShell can launch command-line shells.^[1]
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	zwShell has established persistence by adding itself as a new service.^[1]
Enterprise	T1083		File and Directory Discovery	zwShell can browse the file system.^[1]
Enterprise	T1070	.004	Indicator Removal: File Deletion	zwShell has deleted itself after creating a service as well as deleted a temporary file when the system reboots.^[1]
Enterprise	T1112		Modify Registry	zwShell can modify the Registry.^[1]
Enterprise	T1021	.001	Remote Services: Remote Desktop Protocol	zwShell has used RDP for lateral movement.^[1]
		.002	Remote Services: SMB/Windows Admin Shares	zwShell has been copied over network shares to move laterally.^[1]
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	zwShell has used SchTasks for execution.^[1]
Enterprise	T1082		System Information Discovery	zwShell can obtain the victim PC name and OS version.^[1]
Enterprise	T1016		System Network Configuration Discovery	zwShell can obtain the victim IP address.^[1]
Enterprise	T1033		System Owner/User Discovery	zwShell can obtain the name of the logged-in user on the victim.^[1]

Campaigns

ID	Name	Description
C0002	Night Dragon	During Night Dragon, threat actors used zwShell to generate Trojan variants, control victim machines, and exfiltrate data.^[1]

References

McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.

zwShell

Enterprise Layer

Techniques Used

Campaigns

References