BADFLICK is a backdoor used by Leviathan in spearphishing campaigns first reported in 2018 that targeted the U.S. engineering and maritime industries.[1][2]

ID: S0642
Platforms: Windows
Version: 1.0
Created: 26 August 2021
Last Modified: 15 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1560 .002 Archive Collected Data: Archive via Library

BADFLICK has compressed data using the aPLib compression library.[2]

Enterprise T1005 Data from Local System

BADFLICK has uploaded files from victims' machines.[2]

Enterprise T1140 Deobfuscate/Decode Files or Information

BADFLICK can decode shellcode using a custom rotating XOR cipher.[2]

Enterprise T1083 File and Directory Discovery

BADFLICK has searched for files on the infected host.[2]

Enterprise T1105 Ingress Tool Transfer

BADFLICK has download files from its C2 server.[2]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

BADFLICK has been distributed via spearphishing campaigns containing malicious Microsoft Word documents.[2]

Enterprise T1082 System Information Discovery

BADFLICK has captured victim computer name, memory space, and CPU details.[2]

Enterprise T1016 System Network Configuration Discovery

BADFLICK has captured victim IP address details.[2]

Enterprise T1204 .002 User Execution: Malicious File

BADFLICK has relied upon users clicking on a malicious attachment delivered through spearphishing.[2]

Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

BADFLICK has delayed communication to the actor-controlled IP address by 5 minutes.[2]

Groups That Use This Software

ID Name References
G0065 Leviathan