Software: JHUHUGIT, Seduploader, ...

From enterprise
Jump to: navigation, search
JHUHUGIT, Seduploader, ...
Software
ID S0044
Aliases JHUHUGIT, Seduploader, JKEYSKW, Sednit, GAMEFISH, SofacyCarberp
Type Malware
Platform Windows

JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware.1234

Alias Descriptions

  • JHUHUGIT - 4
  • Seduploader - 4
  • JKEYSKW - 4
  • Sednit - 4
  • GAMEFISH - 4
  • SofacyCarberp - 5

Techniques Used

  • Rundll32 - JHUHUGIT is executed using rundll32.exe.2
  • Process Injection - JHUHUGIT performs code injection injecting its own functions to browser processes.25
  • File Deletion - The JHUHUGIT dropper can delete itself from the victim.3 Another JHUHUGIT variant has the capability to delete specified files.5
  • New Service - JHUHUGIT has registered itself as a service to establish persistence.3
  • Scheduled Task - JHUHUGIT has registered itself as a scheduled task to run each time the current user logs in.36
  • Component Object Model Hijacking - JHUHUGIT has used COM hijacking to establish persistence by hijacking a class named MMDeviceEnumerator and also by registering the payload as a Shell Icon Overlay handler COM object ({3543619C-D563-43f7-95EA-4DA7E1CC396A}).3
  • Logon Scripts - JHUHUGIT has registered a Windows shell script under the Registry key HKCU\Environment\UserInitMprLogonScript to establish persistence.3
  • Fallback Channels - JHUHUGIT tests if it can reach its C2 server by first attempting a direct connection, and if it fails, obtaining proxy settings and sending the connection through a proxy, and finally injecting code into a running browser if the proxy method fails.3
  • System Information Discovery - JHUHUGIT obtains a build identifier as well as victim hard drive information from Windows registry key HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum.3 Another JHUHUGIT variant gathers the victim storage volume serial number and the storage device name.5
  • Screen Capture - A JHUHUGIT variant takes screenshots by simulating the user pressing the "Take Screenshot" key (VK_SCREENSHOT), accessing the screenshot saved in the clipboard, and converting it to a JPG image.7
  • Clipboard Data - A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image.7

Groups

The following groups use this software: