Kaspersky Threats — Backdoor.Win32.PPdoor.ap

Třída: Backdoor

Zadní stěny jsou navrženy tak, aby poskytovaly škodlivým uživatelům vzdálený přístup k infikovanému počítači. Pokud jde o funkčnost, Backdoors jsou podobné mnoha administrativním systémům navrženým a distribuovaným vývojáři softwaru.

Tyto typy škodlivých programů umožňují dělat cokoliv, co autor chce na napadeném počítači: odesílat a přijímat soubory, spouštět soubory nebo je smazat, zobrazovat zprávy, mazat data, restartovat počítač atd.

Programy v této kategorii se často používají k sjednocení skupiny obětí počítačů a vytvoření sítě botnet nebo zombie. To dává zlomyslným uživatelům centralizovanou kontrolu nad armádou infikovaných počítačů, které pak mohou být použity pro kriminální účely.

Existuje také skupina Backdoors, která je schopna šíření prostřednictvím sítí a infikování jiných počítačů jako Net-Worms. Rozdíl je v tom, že takové Backdoors se nerozšířují automaticky (jak to dělá Net-Worms), ale pouze na speciální "příkaz" od škodlivého uživatele, který je ovládá.

Platfoma: Win32

Win32 je rozhraní API v operačních systémech Windows NT (Windows XP, Windows 7 atd.), Které podporují provádění 32bitových aplikací. Jedna z nejrozšířenějších programovacích platforem na světě.

Family: Backdoor.Win32.PPdoor

No family description

Examples

14A6F2DE38258CFD256B4987E09B198E
CE5E031EA6BA94EBA2503FE64E39BD21
25617C72D50257A094BFB61059B6AB75
B427700D1D74A82D7BB179AA23076EB2
3020BBB79427BA6D3F6AA63A0E67D95C

Tactics and Techniques: Mitre*

TA0002

Execution

The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.

T1559.001

Component Object Model

Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE). Remote COM execution is facilitated by Remote Services such as Distributed Component Object Model (DCOM).

TA0003

Persistence

The adversary is trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

T1547.001

Registry Run Keys / Startup Folder

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.

TA0004

Privilege Escalation

The adversary is trying to gain higher-level permissions. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: SYSTEM/root level, local administrator, user account with admin-like access, user accounts with access to specific system or perform specific function. These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.

T1547.001

Registry Run Keys / Startup Folder

TA0005

Defense Evasion

The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics' techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

T1112

Modify Registry

Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.

TA0007

Discovery

The adversary is trying to figure out your environment.

Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.

T1518.001

Software Discovery: Security Software Discovery

Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Example commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.

Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the DescribeSecurityGroups action with various request parameters. (Citation: DescribeSecurityGroups - Amazon Elastic Compute Cloud)

TA0011

Command and Control

The adversary is trying to communicate with compromised systems to control them. Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim's network structure and defenses.

T1095

Non-Application Layer Protocol

Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).