RIFLESPINE
RIFLESPINE is a cross-platform backdoor that leverages Google Drive for file transfer and command execution.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
RIFLESPINE can use HTTP |
| Enterprise | T1059 | .004 | Command and Scripting Interpreter: Unix Shell |
RIFLESPINE can execute commands with |
| Enterprise | T1543 | .002 | Create or Modify System Process: Systemd Service |
RIFLESPINE can create a systemd service file for execution.[1] |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
RIFLESPINE can stage the output from executed C2 commands to a temporary file.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
RIFLESPINE can deobfuscate encrypted files prior to execution on targeted hosts.[1] |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
RIFLESPINE can use the AES algorithm to encrypt C2 data.[1] |
| Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
RIFLESPINE can upload results from executed C2 commands to cloud storage.[1] |
| Enterprise | T1105 | Ingress Tool Transfer |
RIFLESPINE can download and execute files.[1] |
|
| Enterprise | T1082 | System Information Discovery |
RIFLESPINE can collect system information after installation on infected systems.[1] |
|
| Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
RIFLESPINE can retrieve C2 commands from an encrypted file on Google Drive then upload the results of command execution back to Google Drive.[1] |