ShimRat has been used by the suspected China-based adversary Mofang in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name "ShimRat" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. [1]

ID: S0444
Platforms: Windows
Version: 1.0
Created: 12 May 2020
Last Modified: 29 May 2020

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

ShimRat has hijacked the cryptbase.dll within migwiz.exe to escalate privileges. This prevented the User Access Control window from appearing.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

ShimRat communicated over HTTP and HTTPS with C2 servers.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

ShimRat has installed a registry based start-up key HKCU\Software\microsoft\windows\CurrentVersion\Run to maintain persistence should other methods fail.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

ShimRat can be issued a command shell function from the C2.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

ShimRat has installed a Windows service to maintain persistence on victim machines.[1]

Enterprise T1005 Data from Local System

ShimRat has the capability to upload collected files to a C2.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

ShimRat has decompressed its core DLL using shellcode once an impersonated antivirus component was running on a system.[1]

Enterprise T1546 .011 Event Triggered Execution: Application Shimming

ShimRat has installed shim databases in the AppPatch folder.[1]

Enterprise T1008 Fallback Channels

ShimRat has used a secondary C2 location if the first was unavailable.[1]

Enterprise T1083 File and Directory Discovery

ShimRat can list directories.[1]

Enterprise T1574 Hijack Execution Flow

ShimRat can hijack the cryptbase.dll within migwiz.exe to escalate privileges and bypass UAC controls.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

ShimRat can uninstall itself from compromised hosts, as well create and modify directories, delete, move, copy, and rename files.[1]

Enterprise T1105 Ingress Tool Transfer

ShimRat can download additional files.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

ShimRat can impersonate Windows services and antivirus products to avoid detection on compromised systems.[1]

Enterprise T1112 Modify Registry

ShimRat has registered two registry keys for shim databases.[1]

Enterprise T1106 Native API

ShimRat has used Windows API functions to install the service and shim.[1]

Enterprise T1135 Network Share Discovery

ShimRat can enumerate connected drives for infected host machines.[1]

Enterprise T1027 Obfuscated Files or Information

ShimRat has been delivered as a package that includes compressed DLL and shellcode payloads within a .dat file.[1]

.002 Software Packing

ShimRat's loader has been packed with the compressed ShimRat core DLL and the legitimate DLL for it to hijack.[1]

Enterprise T1090 .002 Proxy: External Proxy

ShimRat can use pre-configured HTTP proxies.[1]

Enterprise T1029 Scheduled Transfer

ShimRat can sleep when instructed to do so by the C2.[1]

Groups That Use This Software

ID Name References
G0103 Mofang