Software: BADNEWS

From enterprise
Jump to: navigation, search
BADNEWS
Software
ID S0128
Aliases BADNEWS
Type Malware
Platform Windows

BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control.1

Alias Descriptions

  • BADNEWS - 1

Techniques Used

  • DLL Side-Loading - BADNEWS typically loads its DLL file into a legitimate signed Java or VMware executable.12
  • Web Service - BADNEWS can use multiple C2 channels, including RSS feeds, Github, forums, and blogs.1 BADNEWS also collects C2 information via a dead drop resolver.2
  • Data Obfuscation - After encrypting C2 data, BADNEWS converts it into a hexadecimal representation and then encodes it into base64.1
  • Process Hollowing - BADNEWS has a command to download an .exe and use process hollowing to inject it into a new process.1
  • Remote File Copy - BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.12
  • Screen Capture - BADNEWS has a command to take a screenshot and send it to the C2 server.12
  • Input Capture - When it first starts, BADNEWS spawns a new thread to log keystrokes.12
  • Data from Local System - When it first starts, BADNEWS crawls the victim's local drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.12
  • Data from Network Shared Drive - When it first starts, BADNEWS crawls the victim's mapped drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.1
  • Data Staged - BADNEWS copies documents under 15MB found on the victim system to is the user's %temp%\SMB\ folder.1
  • Peripheral Device Discovery - BADNEWS checks for new hard drives on the victim, such as USB devices, by listening for the WM_DEVICECHANGE window message.1
  • Masquerading - BADNEWS attempts to hide its payloads using legitimate filenames.2
  • Scheduled Task - BADNEWS creates a scheduled task to establish Persistence by executing a malicious payload every subsequent minute.2

Groups

The following groups use this software: