zwShell
zwShell is a remote access tool (RAT) written in Delphi that has been used by Night Dragon.[1]
ID: S0350
Type: MALWARE
Platforms: Windows
Version: 1.0
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
Enterprise | T1059 | Command-Line Interface | |
Enterprise | T1083 | File and Directory Discovery | |
Enterprise | T1107 | File Deletion |
zwShell has deleted itself after creating a service as well as deleted a temporary file when the system reboots.[1] |
Enterprise | T1112 | Modify Registry | |
Enterprise | T1050 | New Service |
zwShell has established persistence by adding itself as a new service.[1] |
Enterprise | T1076 | Remote Desktop Protocol | |
Enterprise | T1053 | Scheduled Task | |
Enterprise | T1082 | System Information Discovery | |
Enterprise | T1016 | System Network Configuration Discovery | |
Enterprise | T1033 | System Owner/User Discovery |
zwShell can obtain the name of the logged-in user on the victim.[1] |
Enterprise | T1077 | Windows Admin Shares |
zwShell has been copied over network shares to move laterally.[1] |
Groups That Use This Software
ID | Name | References |
---|---|---|
G0014 | Night Dragon | [1] |