Chrommme

Chrommme is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with Gelsemium malware.^[1]

ID: S0667

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 01 December 2021

Last Modified: 11 April 2024

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1560		Archive Collected Data	Chrommme can encrypt and store on disk collected data before exfiltration.^[1]
Enterprise	T1005		Data from Local System	Chrommme can collect data from a local system.^[1]
Enterprise	T1074	.001	Data Staged: Local Data Staging	Chrommme can store captured system information locally prior to exfiltration.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	Chrommme can decrypt its encrypted internal code.^[1]
Enterprise	T1041		Exfiltration Over C2 Channel	Chrommme can exfiltrate collected data via C2.^[1]
Enterprise	T1105		Ingress Tool Transfer	Chrommme can download its code from C2.^[1]
Enterprise	T1106		Native API	Chrommme can use Windows API including `WinExec` for execution.^[1]
Enterprise	T1027	.013	Obfuscated Files or Information: Encrypted/Encoded File	Chrommme can encrypt sections of its code to evade detection.^[1]
Enterprise	T1029		Scheduled Transfer	Chrommme can set itself to sleep before requesting a new command from C2.^[1]
Enterprise	T1113		Screen Capture	Chrommme has the ability to capture screenshots.^[1]
Enterprise	T1082		System Information Discovery	Chrommme has the ability to list drives and obtain the computer name of a compromised host.^[1]
Enterprise	T1016		System Network Configuration Discovery	Chrommme can enumerate the IP address of a compromised host.^[1]
Enterprise	T1033		System Owner/User Discovery	Chrommme can retrieve the username from a targeted system.^[1]

References

Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.

Chrommme

Enterprise Layer

Techniques Used

References