GrimAgent

GrimAgent is a backdoor that has been used before the deployment of Ryuk ransomware since at least 2020; it is likely used by FIN6 and Wizard Spider.[1]

ID: S0632
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 16 July 2021
Last Modified: 19 September 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

GrimAgent has the ability to use HTTP for C2 communications.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

GrimAgent can set persistence with a Registry run key.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

GrimAgent can use the Windows Command Shell to execute commands, including its own removal.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

GrimAgent can base64 encode C2 replies.[1]

Enterprise T1005 Data from Local System

GrimAgent can collect data and files from a compromised host.[1]

Enterprise T1001 .001 Data Obfuscation: Junk Data

GrimAgent can pad C2 messages with random generated values.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

GrimAgent can use a decryption algorithm for strings based on Rotate on Right (RoR) and Rotate on Left (RoL) functionality.[1]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

GrimAgent can use an AES key to encrypt C2 communications.[1]

.002 Encrypted Channel: Asymmetric Cryptography

GrimAgent can use a hardcoded server public RSA key to encrypt the first request to C2.[1]

Enterprise T1480 .002 Execution Guardrails: Mutual Exclusion

GrimAgent uses the last 64 bytes of the binary to compute a mutex name. If the generated name is invalid, it will default to the generic mymutex.[1]

Enterprise T1041 Exfiltration Over C2 Channel

GrimAgent has sent data related to a compromise host over its C2 channel.[1]

Enterprise T1083 File and Directory Discovery

GrimAgent has the ability to enumerate files and directories on a compromised host.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

GrimAgent can delete old binaries on a compromised host.[1]

.009 Indicator Removal: Clear Persistence

GrimAgent can delete previously created tasks on a compromised host.[1]

Enterprise T1105 Ingress Tool Transfer

GrimAgent has the ability to download and execute additional payloads.[1]

Enterprise T1106 Native API

GrimAgent can use Native API including GetProcAddress and ShellExecuteW.[1]

Enterprise T1027 Obfuscated Files or Information

GrimAgent has used Rotate on Right (RoR) and Rotate on Left (RoL) functionality to encrypt strings.[1]

.001 Binary Padding

GrimAgent has the ability to add bytes to change the file hash.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

GrimAgent has the ability to set persistence using the Task Scheduler.[1]

Enterprise T1082 System Information Discovery

GrimAgent can collect the OS, and build version on a compromised host.[1]

Enterprise T1614 System Location Discovery

GrimAgent can identify the country code on a compromised host.[1]

.001 System Language Discovery

GrimAgent has used Accept-Language to identify hosts in the United Kingdom, United States, France, and Spain.[1]

Enterprise T1016 System Network Configuration Discovery

GrimAgent can enumerate the IP and domain of a target system.[1]

Enterprise T1033 System Owner/User Discovery

GrimAgent can identify the user id on a target machine.[1]

Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

GrimAgent can sleep for 195 - 205 seconds after payload execution and before deleting its task.[1]

Groups That Use This Software

ID Name References
G0037 FIN6

[1]

G0102 Wizard Spider

[1]

References