1. Home
  2. Software
  3. CHIMNEYSWEEP

CHIMNEYSWEEP

CHIMNEYSWEEP is a backdoor malware that was deployed during HomeLand Justice along with ROADSWEEP ransomware, and has been used to target Farsi and Arabic speakers since at least 2012.[1]

ID: S1149
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 07 August 2024
Last Modified: 09 August 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

CHIMNEYSWEEP can make use of the Windows SilentCleanup scheduled task to execute its payload with elevated privileges.[1]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

CHIMNEYSWEEP can send HTTP GET requests to  C2.[1]
Enterprise T1115 Clipboard Data

CHIMNEYSWEEP can capture content from the clipboard.[1]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

CHIMNEYSWEEP can invoke the PowerShell command [Reflection.Assembly]::LoadFile(\"%s\")\n$i=\"\"\n$r=[%s]::%s(\"%s\",[ref] $i)\necho $r,$i\n to execute secondary payloads.[1]
.005 Command and Scripting Interpreter: Visual Basic

CHIMNEYSWEEP has executed a script named cln.vbs on compromised hosts.[1]
Enterprise T1132 .002 Data Encoding: Non-Standard Encoding

CHIMNEYSWEEP can use a custom Base64 alphabet for encoding C2.[1]
Enterprise T1005 Data from Local System

CHIMNEYSWEEP can collect files from compromised hosts.[1]
Enterprise T1074 .001 Data Staged: Local Data Staging

CHIMNEYSWEEP can store captured screenshots to disk including to a covert store named APPX.%x%x%x%x%x.tmp where %x is a random value.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

CHIMNEYSWEEP can use an embedded RC4 key to decrypt Windows API function strings.[1]
Enterprise T1480 Execution Guardrails

CHIMNEYSWEEP can execute a task which leads to execution if it finds a process name containing "creensaver."[1]
Enterprise T1041 Exfiltration Over C2 Channel

CHIMNEYSWEEP can upload collected files to the command-and-control server.[1]
Enterprise T1083 File and Directory Discovery

CHIMNEYSWEEP has the ability to enumerate directories for files that match a set list.[1]
Enterprise T1070 .006 Indicator Removal: Timestomp

CHIMNEYSWEEP can time stomp its executable, previously dating it between 2010 to 2021.[1]
Enterprise T1105 Ingress Tool Transfer

CHIMNEYSWEEP can download additional files from C2.[1]
Enterprise T1056 .001 Input Capture: Keylogging

CHIMNEYSWEEP has the ability to support keylogging.[1]
Enterprise T1112 Modify Registry

CHIMNEYSWEEP can use the Windows Registry Environment key to change the %windir% variable to point to c:\Windows to enable payload execution.[1]
Enterprise T1106 Native API

CHIMNEYSWEEP can use Windows APIs including LoadLibrary and GetProcAddress.[1]
Enterprise T1027 Obfuscated Files or Information

CHIMNEYSWEEP can use a custom Base64 alphabet to encode an API decryption key.[1]
.001 Binary Padding

The CHIMNEYSWEEP installer has been padded with null bytes to inflate its size.[1]
.007 Dynamic API Resolution

CHIMNEYSWEEP can use LoadLibrary and GetProcAddress to resolve Windows API function strings at run time.[1]
.009 Embedded Payloads

CHIMNEYSWEEP can extract RC4 encrypted embedded payloads for privilege escalation.[1]
Enterprise T1120 Peripheral Device Discovery

CHIMNEYSWEEP can monitor for removable drives.[1]
Enterprise T1057 Process Discovery

CHIMNEYSWEEP can check if a process name contains "creensaver."[1]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

CHIMNEYSWEEP can use the Windows SilentCleanup scheduled task to enable payload execution.[1]
Enterprise T1113 Screen Capture

CHIMNEYSWEEP can capture screenshots on targeted systems using a timer and either upload them or store them to disk.[1]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

CHIMNEYSWEEP is capable of checking whether a compromised device is running DeepFreeze by Faronics.[1]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

CHIMNEYSWEEP has been dropped by a self-extracting archive signed with a valid digital certificate.[1]
Enterprise T1218 .003 System Binary Proxy Execution: CMSTP

CHIMNEYSWEEP can use CMSTP.exe to install a malicious Microsoft Connection Manager Profile.[1]
Enterprise T1033 System Owner/User Discovery

CHIMNEYSWEEP has included the victim's computer name and username in C2 messages sent to actor-owned infrastructure.[1]
Enterprise T1529 System Shutdown/Reboot

CHIMNEYSWEEP can reboot or shutdown the targeted system or logoff the current user.[1]
Enterprise T1102 Web Service

CHIMNEYSWEEP has the ability to use use Telegram channels to return a list of commands to be executed, to download additional payloads, or to create a reverse shell.[1]

Groups That Use This Software

ID Name References
G1001 HEXANE

HEXANE probed victim infrastructure in support of HomeLand Justice.[2]

Campaigns

ID Name Description
C0038 HomeLand Justice

[1]

References

  1. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  1. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.