ADVSTORESHELL

Among other things, it uses zero-day exploits, spear phishing and malware to compromise targets.

Figure 2. Main attack methods and malware used by the Sednit group since 2014... Email attachments

Together with the help of above mentioned tools, the group gained access to the file system and registry; enumerate network resources; create processes... | It used a downloader tool that FireEye dubbed " SOURFACE ", a backdoor labelled " EVILTOSS " that gives hackers remote access and a flexible modular implant called " CHOPSTICK " to enhance functionality of the espionage software.

The content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.' | Many entries explicitly state malware 'can create a reverse shell' or 'launch a remote shell,' including 4H RAT, AuditCred, BLACKCOFFEE, Carbanak, DarkComet, Exaramel for Windows, PlugX, QuasarRAT, and ZxShell.

Together with the help of above mentioned tools... execute shellcode...

A Sedreco plugin comes as a Windows DLL with two exported functions named Init and UnInit. The plugin is loaded in the same address space as Sedreco’s payload with a call to the Windows API LoadLibraryA.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

we have observed other methods, like registering the payload as a Shell Icon Overlay handler COM object

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

we have observed other methods, like registering the payload as a Shell Icon Overlay handler COM object

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

A Sedreco plugin comes as a Windows DLL with two exported functions named Init and UnInit. The plugin is loaded in the same address space as Sedreco’s payload with a call to the Windows API LoadLibraryA.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

Xagent is a modular backdoor with spying functionalities such as keystroke logging and file exfiltration... RemoteKeylogger 0x1002 Logs keystrokes

Together with the help of above mentioned tools... access stored credentials...

The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."

17 List connected devices

Together with the help of above mentioned tools, the group gained access to the file system and registry; enumerate network resources...

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

5 List directories ... 22 List files and directories

The content repeatedly describes malware and threat actors identifying, monitoring, or enumerating connected peripheral devices such as USB mass storage, Bluetooth devices, printers, smart card readers, cameras, Apple devices, VGA/display devices, and removable drives.

20 Map network resources

Xagent is a modular backdoor with spying functionalities such as keystroke logging and file exfiltration... RemoteKeylogger 0x1002 Logs keystrokes

The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.

The source code contains two different channel implementations, one over HTTP and one over email... HttpChannel::getRawPacket() method is implemented as a HTTP GET request... sendRawPacket() is an HTTP POST request.

The attackers then upgraded valuable targets to the X-Agent backdoor, often pairing it with the Sedreco loader and the X-Tunnel network pivot.

C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.

4H RAT has the capability to create a remote shell. AuditCred can open a reverse shell on the system to execute commands. PlugX allows actors to spawn a reverse shell on a victim. QuasarRAT can launch a remote shell to execute commands on the victim’s machine.

The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.