Software: BADNEWS

From enterprise
Jump to: navigation, search
BADNEWS
Software
ID S0128
Aliases BADNEWS
Type Malware

BADNEWS is malware that has been used by the actors responsible for the MONSOON campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control.1

Techniques Used

  • DLL Side-Loading - BADNEWS typically loads its DLL file into a legitimate signed Java executable.1
  • Web Service - BADNEWS can use multiple C2 channels, including RSS feeds, Github, forums, and blogs.1
  • Data Obfuscation - After encrypting C2 data, BADNEWS converts it into a hexadecimal representation and then encodes it into base64.1
  • Process Hollowing - BADNEWS has a command to download an .exe and use process hollowing to inject it into a new process.1
  • Remote File Copy - BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.1
  • Screen Capture - BADNEWS has a command to take a screenshot and send it to the C2 server.1
  • Input Capture - When it first starts, BADNEWS spawns a new thread to log keystrokes.1
  • Data from Local System - When it first starts, BADNEWS crawls the victim's local drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.1
  • Data from Network Shared Drive - When it first starts, BADNEWS crawls the victim's mapped drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.1
  • Data Staged - BADNEWS copies documents under 15MB found on the victim system to is the user's %temp%\SMB\ folder.1
  • Peripheral Device Discovery - BADNEWS checks for new hard drives on the victim, such as USB devices, by listening for the WM_DEVICECHANGE window message.1

Groups

The following groups use this software: