DropBook
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .003 | Command and Scripting Interpreter:Windows Command Shell | DropBook can execute arbitrary shell commands on the victims' machines.[1][2] |
| .006 | Command and Scripting Interpreter:Python | DropBook is a Python-based backdoor compiled with PyInstaller.[1] | ||
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | DropBook can unarchive data downloaded from the C2 to obtain the payload and persistence modules.[1] | |
| Enterprise | T1567 | Exfiltration Over Web Service | DropBook has used legitimate web services to exfiltrate data.[2] | |
| Enterprise | T1083 | File and Directory Discovery | DropBook can collect the names of all files and folders in the Program Files directories.[1][2] | |
| Enterprise | T1105 | Ingress Tool Transfer | ||
| Enterprise | T1082 | System Information Discovery | DropBook has checked for the presence of Arabic language in the infected machine's settings.[1] | |
| Enterprise | T1614 | .001 | System Location Discovery:System Language Discovery | DropBook has checked for the presence of Arabic language in the infected machine's settings.[2] |
| Enterprise | T1102 | Web Service | DropBook can communicate with its operators by exploiting the Simplenote, DropBox, and the social media platform, Facebook, where it can create fake accounts to control the backdoor and receive instructions.[1][2] | |