CHIMNEYSWEEP is a backdoor malware that was deployed during HomeLand Justice along with ROADSWEEP ransomware, and has been used to target Farsi and Arabic speakers since at least 2012.[1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
CHIMNEYSWEEP can make use of the Windows |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
CHIMNEYSWEEP can send |
Enterprise | T1115 | Clipboard Data |
CHIMNEYSWEEP can capture content from the clipboard.[1] |
|
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
CHIMNEYSWEEP can invoke the PowerShell command |
.005 | Command and Scripting Interpreter: Visual Basic |
CHIMNEYSWEEP has executed a script named cln.vbs on compromised hosts.[1] |
||
Enterprise | T1132 | .002 | Data Encoding: Non-Standard Encoding |
CHIMNEYSWEEP can use a custom Base64 alphabet for encoding C2.[1] |
Enterprise | T1005 | Data from Local System |
CHIMNEYSWEEP can collect files from compromised hosts.[1] |
|
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
CHIMNEYSWEEP can store captured screenshots to disk including to a covert store named |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
CHIMNEYSWEEP can use an embedded RC4 key to decrypt Windows API function strings.[1] |
|
Enterprise | T1480 | Execution Guardrails |
CHIMNEYSWEEP can execute a task which leads to execution if it finds a process name containing "creensaver."[1] |
|
Enterprise | T1041 | Exfiltration Over C2 Channel |
CHIMNEYSWEEP can upload collected files to the command-and-control server.[1] |
|
Enterprise | T1083 | File and Directory Discovery |
CHIMNEYSWEEP has the ability to enumerate directories for files that match a set list.[1] |
|
Enterprise | T1070 | .006 | Indicator Removal: Timestomp |
CHIMNEYSWEEP can time stomp its executable, previously dating it between 2010 to 2021.[1] |
Enterprise | T1105 | Ingress Tool Transfer |
CHIMNEYSWEEP can download additional files from C2.[1] |
|
Enterprise | T1056 | .001 | Input Capture: Keylogging |
CHIMNEYSWEEP has the ability to support keylogging.[1] |
Enterprise | T1112 | Modify Registry |
CHIMNEYSWEEP can use the Windows Registry Environment key to change the |
|
Enterprise | T1106 | Native API |
CHIMNEYSWEEP can use Windows APIs including |
|
Enterprise | T1027 | Obfuscated Files or Information |
CHIMNEYSWEEP can use a custom Base64 alphabet to encode an API decryption key.[1] |
|
.001 | Binary Padding |
The CHIMNEYSWEEP installer has been padded with null bytes to inflate its size.[1] |
||
.007 | Dynamic API Resolution |
CHIMNEYSWEEP can use |
||
.009 | Embedded Payloads |
CHIMNEYSWEEP can extract RC4 encrypted embedded payloads for privilege escalation.[1] |
||
Enterprise | T1120 | Peripheral Device Discovery |
CHIMNEYSWEEP can monitor for removable drives.[1] |
|
Enterprise | T1057 | Process Discovery |
CHIMNEYSWEEP can check if a process name contains "creensaver."[1] |
|
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
CHIMNEYSWEEP can use the Windows |
Enterprise | T1113 | Screen Capture |
CHIMNEYSWEEP can capture screenshots on targeted systems using a timer and either upload them or store them to disk.[1] |
|
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
CHIMNEYSWEEP is capable of checking whether a compromised device is running DeepFreeze by Faronics.[1] |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
CHIMNEYSWEEP has been dropped by a self-extracting archive signed with a valid digital certificate.[1] |
Enterprise | T1218 | .003 | System Binary Proxy Execution: CMSTP |
CHIMNEYSWEEP can use CMSTP.exe to install a malicious Microsoft Connection Manager Profile.[1] |
Enterprise | T1033 | System Owner/User Discovery |
CHIMNEYSWEEP has included the victim's computer name and username in C2 messages sent to actor-owned infrastructure.[1] |
|
Enterprise | T1529 | System Shutdown/Reboot |
CHIMNEYSWEEP can reboot or shutdown the targeted system or logoff the current user.[1] |
|
Enterprise | T1102 | Web Service |
CHIMNEYSWEEP has the ability to use use Telegram channels to return a list of commands to be executed, to download additional payloads, or to create a reverse shell.[1] |
ID | Name | References |
---|---|---|
G1001 | HEXANE |
HEXANE probed victim infrastructure in support of HomeLand Justice.[2] |
ID | Name | Description |
---|---|---|
C0038 | HomeLand Justice |