Software: JHUHUGIT, Seduploader, ...

From enterprise
Jump to: navigation, search
JHUHUGIT, Seduploader, ...
Software
ID S0044
Aliases JHUHUGIT, Seduploader, JKEYSKW, Sednit, GAMEFISH
Type Malware

JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware.1234

Techniques Used

  • Rundll32 - JHUHUGIT is executed using rundll32.exe.2
  • Process Injection - JHUHUGIT performs code injection injecting its own functions to browser processes.2
  • File Deletion - The JHUHUGIT dropper deletes itself from the victim.3
  • New Service - JHUHUGIT has registered itself as a service to establish persistence.3
  • Scheduled Task - JHUHUGIT has registered itself as a scheduled task to run each time the current user logs in.35
  • Component Object Model Hijacking - JHUHUGIT has used COM hijacking to establish persistence by hijacking a class named MMDeviceEnumerator and also by registering the payload as a Shell Icon Overlay handler COM object ({3543619C-D563-43f7-95EA-4DA7E1CC396A}).3
  • Logon Scripts - JHUHUGIT has registered a Windows shell script under the Registry key HKCU\Environment\UserInitMprLogonScript to establish persistence.3
  • Fallback Channels - JHUHUGIT tests if it can reach its C2 server by first attempting a direct connection, and if it fails, obtaining proxy settings and sending the connection through a proxy, and finally injecting code into a running browser if the proxy method fails.3
  • System Information Discovery - JHUHUGIT obtains a build identifier as well as victim hard drive information from Windows registry key HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum.3
  • Remote File Copy - JHUHUGIT retrieves and executes an additional payload from its C2 server.3

Groups

The following groups use this software: