Backdoor.Oldrea
Backdoor.Oldrea is a modular backdoor that used byDragonfly against energy companies since at least 2013.Backdoor.Oldrea was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.[1][2][3]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .003 | Account Discovery:Email Account | Backdoor.Oldrea collects address book information from Outlook.[1] |
| Enterprise | T1560 | Archive Collected Data | Backdoor.Oldrea writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server.[1] | |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder | Backdoor.Oldrea adds Registry Run keys to achieve persistence.[1][2] |
| Enterprise | T1555 | .003 | Credentials from Password Stores:Credentials from Web Browsers | SomeBackdoor.Oldrea samples contain a publicly available Web browser password recovery tool.[1] |
| Enterprise | T1132 | .001 | Data Encoding:Standard Encoding | SomeBackdoor.Oldrea samples use standard Base64 + bzip2, and some use standard Base64 + reverse XOR + RSA-2048 to decrypt data received from C2 servers.[1] |
| Enterprise | T1083 | File and Directory Discovery | Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.[1] | |
| Enterprise | T1070 | .004 | Indicator Removal:File Deletion | Backdoor.Oldrea contains a cleanup module that removes traces of itself from the victim.[1] |
| Enterprise | T1105 | Ingress Tool Transfer | Backdoor.Oldrea can download additional modules from C2.[2] | |
| Enterprise | T1046 | Network Service Discovery | Backdoor.Oldrea can use a network scanning module to identify ICS-related ports.[2] | |
| Enterprise | T1057 | Process Discovery | Backdoor.Oldrea collects information about running processes.[1] | |
| Enterprise | T1055 | Process Injection | Backdoor.Oldrea injects itself into explorer.exe.[1][2] | |
| Enterprise | T1018 | Remote System Discovery | Backdoor.Oldrea can enumerate and map ICS-specific systems in victim environments.[2] | |
| Enterprise | T1218 | .011 | System Binary Proxy Execution:Rundll32 | Backdoor.Oldrea can use rundll32 for execution on compromised hosts.[2] |
| Enterprise | T1082 | System Information Discovery | Backdoor.Oldrea collects information about the OS and computer name.[1][2] | |
| Enterprise | T1016 | System Network Configuration Discovery | Backdoor.Oldrea collects information about the Internet adapter configuration.[1][2] | |
| Enterprise | T1033 | System Owner/User Discovery | Backdoor.Oldrea collects the current username from the victim.[1] | |
| ICS | T0802 | Automated Collection | Using OPC, a component ofBackdoor.Oldrea gathers any details about connected devices and sends them back to the C2 for the attackers to analyze.[4] | |
| ICS | T0814 | Denial of Service | TheBackdoor.Oldrea payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications.[5] | |
| ICS | T0861 | Point & Tag Identification | TheBackdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices.[5][4] | |
| ICS | T0846 | Remote System Discovery | TheBackdoor.Oldrea ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network.[6] | |
| ICS | T0888 | Remote System Information Discovery | TheBackdoor.Oldrea payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process.[5][4] | |
| ICS | T0865 | Spearphishing Attachment | TheBackdoor.Oldrea RAT is distributed through a trojanized installer attached to emails.[4] | |
| ICS | T0862 | Supply Chain Compromise | TheBackdoor.Oldrea RAT is distributed through trojanized installers planted on compromised vendor sites.[4] | |
| ICS | T0863 | User Execution | Execution ofBackdoor.Oldrea relies on a user opening a trojanized installer attached to an email.[4][7] | |
Groups That Use This Software
References
- Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
- Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
- Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.
- Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01
- ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01
- Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell 2015, December 08 A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin Retrieved. 2019/04/01
- Kyle Wilhoit Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ICS Malware: Havex and Black Energy Retrieved. 2019/10/22