DropBook is a Python-based backdoor compiled with PyInstaller.[1]

ID: S0547
Platforms: Windows
Version: 1.0
Created: 22 December 2020
Last Modified: 19 April 2021

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

DropBook can execute arbitrary shell commands on the victims' machines.[1][2]

.006 Command and Scripting Interpreter: Python

DropBook is a Python-based backdoor compiled with PyInstaller.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

DropBook can unarchive data downloaded from the C2 to obtain the payload and persistence modules.[1]

Enterprise T1567 Exfiltration Over Web Service

DropBook has used legitimate web services to exfiltrate data.[2]

Enterprise T1083 File and Directory Discovery

DropBook can collect the names of all files and folders in the Program Files directories.[1][2]

Enterprise T1105 Ingress Tool Transfer

DropBook can download and execute additional files.[1][2]

Enterprise T1082 System Information Discovery

DropBook has checked for the presence of Arabic language in the infected machine's settings.[1]

Enterprise T1102 Web Service

DropBook can communicate with its operators by exploiting the Simplenote, DropBox, and the social media platform, Facebook, where it can create fake accounts to control the backdoor and receive instructions.[1][2]

Groups That Use This Software

ID Name References
G0021 Molerats