Software: CORESHELL, SOURFACE

From enterprise
Jump to: navigation, search
CORESHELL, SOURFACE
Software
ID S0137
Aliases CORESHELL, SOURFACE
Type Malware
Platform Windows

CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL. It has also been referred to as Sofacy, though that term has been used widely to refer to both the group APT28 and malware families associated with the group.12

Techniques Used

  • Binary Padding - CORESHELL contains unused machine instructions in a likely attempt to hinder analysis.1
  • System Information Discovery - CORESHELL collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server.1
  • Rundll32 - CORESHELL is installed via execution of rundll32 with an export named "init" or "InitW."3
  • Registry Run Keys / Start Folder - CORESHELL has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder.3

Groups

The following groups use this software: