Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Software
  3. Gelsemium

Gelsemium

Gelsemium is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework.Gelsemium has been used by the Gelsemium group since at least 2014.[1]

ID: S0666
Associated Software: Gelsevirine, Gelsenicine, Gelsemine
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 30 November 2021
Last Modified: 11 April 2024

Associated Software Descriptions

NameDescription
Gelsevirine

[1]

Gelsenicine

[1]

Gelsemine

[1]

Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1548.002Abuse Elevation Control Mechanism:Bypass User Account Control

Gelsemium can bypass UAC to elevate process privileges on a compromised host.[1]

EnterpriseT1134Access Token Manipulation

Gelsemium can use token manipulation to bypass UAC on Windows7 systems.[1]

EnterpriseT1071.001Application Layer Protocol:Web Protocols

Gelsemium can use HTTP/S in C2 communications.[1]

.004Application Layer Protocol:DNS

Gelsemium has the ability to use DNS in communication with C2.[1]

EnterpriseT1547.001Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder

Gelsemium can set persistence with a Registry run key.[1]

.012Boot or Logon Autostart Execution:Print Processors

Gelsemium can drop itself inC:\Windows\System32\spool\prtprocs\x64\winprint.dll to be loaded automatically by the spoolsv Windows service.[1]

EnterpriseT1059.003Command and Scripting Interpreter:Windows Command Shell

Gelsemium can use a batch script to delete itself.[1]

EnterpriseT1543.003Create or Modify System Process:Windows Service

Gelsemium can drop itself inC:\Windows\System32\spool\prtprocs\x64\winprint.dll as an alternative Print Processor to be loaded automatically when the spoolsv Windows service starts.[1]

EnterpriseT1005Data from Local System

Gelsemium can collect data from a compromised host.[1]

EnterpriseT1140Deobfuscate/Decode Files or Information

Gelsemium can decompress and decrypt DLLs and shellcode.[1]

EnterpriseT1568Dynamic Resolution

Gelsemium can use dynamic DNS domain names in C2.[1]

EnterpriseT1008Fallback Channels

Gelsemium can use multiple domains and protocols in C2.[1]

EnterpriseT1083File and Directory Discovery

Gelsemium can retrieve data from specific Windows directories, as well as open random files as part ofVirtualization/Sandbox Evasion.[1]

EnterpriseT1070.004Indicator Removal:File Deletion

Gelsemium can delete its dropper component from the targeted system.[1]

.006Indicator Removal:Timestomp

Gelsemium has the ability to perform timestomping of files on targeted systems.[1]

EnterpriseT1105Ingress Tool Transfer

Gelsemium can download additional plug-ins to a compromised host.[1]

EnterpriseT1559.001Inter-Process Communication:Component Object Model

Gelsemium can use theIARPUinstallerStringLauncher COM interface are part of its UAC bypass process.[1]

EnterpriseT1036.001Masquerading:Invalid Code Signature

Gelsemium has used unverified signatures on malicious DLLs.[1]

.005Masquerading:Match Legitimate Resource Name or Location

Gelsemium has named malicious binariesserv.exe,winprint.dll, andchrome_elf.dll and has set its persistence in the Registry with the key valueChrome Update to appear legitimate.[1]

EnterpriseT1112Modify Registry

Gelsemium can modify the Registry to store its components.[1]

EnterpriseT1106Native API

Gelsemium has the ability to use various Windows API functions to perform tasks.[1]

EnterpriseT1095Non-Application Layer Protocol

Gelsemium has the ability to use TCP and UDP in C2 communications.[1]

EnterpriseT1027.011Obfuscated Files or Information:Fileless Storage

Gelsemium can store its components in the Registry.[1]

.015Obfuscated Files or Information:Compression

Gelsemium has the ability to compress its components.[1]

.016Obfuscated Files or Information:Junk Code Insertion

Gelsemium can use junk code to hide functions and evade detection.[1]

EnterpriseT1057Process Discovery

Gelsemium can enumerate running processes.[1]

EnterpriseT1055.001Process Injection:Dynamic-link Library Injection

Gelsemium has the ability to inject DLLs into specific processes.[1]

EnterpriseT1012Query Registry

Gelsemium can open random files and Registry keys to obscure malware behavior from sandbox analysis.[1]

EnterpriseT1620Reflective Code Loading

Gelsemium can use custom shellcode to map embedded DLLs into memory.[1]

EnterpriseT1518.001Software Discovery:Security Software Discovery

Gelsemium can check for the presence of specific security products.[1]

EnterpriseT1082System Information Discovery

Gelsemium can determine the operating system and whether a targeted machine has a 32 or 64 bit architecture.[1]

EnterpriseT1033System Owner/User Discovery

Gelsemium has the ability to distinguish between a standard user and an administrator on a compromised host.[1]

EnterpriseT1497Virtualization/Sandbox Evasion

Gelsemium can use junk code to generate random activity to obscure malware behavior.[1]

References

×
[8]ページ先頭
©2009-2026 Movatter.jp