WEBC2

WEBC2 is a family of backdoor malware used byAPT1 as early as July 2006.WEBC2 backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server.^[1]^[2]

ID: S0109

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Contributors: Wes Hurd

Version: 2.0

Created: 31 May 2017

Last Modified: 26 December 2023

Version Permalink

Live Version

Enterprise Layer

download view

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.003	Command and Scripting Interpreter:Windows Command Shell	WEBC2 can open an interactive command shell.^[2]
Enterprise	T1574	.001	Hijack Execution Flow:DLL	Variants ofWEBC2 achieve persistence by using DLL search order hijacking, usually by copying the DLL file to`%SYSTEMROOT%` (`C:\WINDOWS\ntshrui.dll`).^[1]
Enterprise	T1105		Ingress Tool Transfer	WEBC2 can download and execute a file.^[2]

Groups That Use This Software

ID	Name	References
G0006	APT1	^[2]

References

Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.

Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.

Movatterモバイル変換

WEBC2

Enterprise Layer

Techniques Used

Groups That Use This Software

References