Chrommme is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with Gelsemium malware.[1]

ID: S0667
Platforms: Windows
Version: 1.1
Created: 01 December 2021
Last Modified: 11 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1560 Archive Collected Data

Chrommme can encrypt and store on disk collected data before exfiltration.[1]

Enterprise T1005 Data from Local System

Chrommme can collect data from a local system.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

Chrommme can store captured system information locally prior to exfiltration.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Chrommme can decrypt its encrypted internal code.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Chrommme can exfiltrate collected data via C2.[1]

Enterprise T1105 Ingress Tool Transfer

Chrommme can download its code from C2.[1]

Enterprise T1106 Native API

Chrommme can use Windows API including WinExec for execution.[1]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Chrommme can encrypt sections of its code to evade detection.[1]

Enterprise T1029 Scheduled Transfer

Chrommme can set itself to sleep before requesting a new command from C2.[1]

Enterprise T1113 Screen Capture

Chrommme has the ability to capture screenshots.[1]

Enterprise T1082 System Information Discovery

Chrommme has the ability to list drives and obtain the computer name of a compromised host.[1]

Enterprise T1016 System Network Configuration Discovery

Chrommme can enumerate the IP address of a compromised host.[1]

Enterprise T1033 System Owner/User Discovery

Chrommme can retrieve the username from a targeted system.[1]