RIFLESPINE
RIFLESPINE is a cross-platform backdoor that leverages Google Drive for file transfer and command execution.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol:Web Protocols | RIFLESPINE can use HTTP |
| Enterprise | T1059 | .004 | Command and Scripting Interpreter:Unix Shell | RIFLESPINE can execute commands with |
| Enterprise | T1543 | .002 | Create or Modify System Process:Systemd Service | RIFLESPINE can create a systemd service file for execution.[1] |
| Enterprise | T1074 | .001 | Data Staged:Local Data Staging | RIFLESPINE can stage the output from executed C2 commands to a temporary file.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | RIFLESPINE can deobfuscate encrypted files prior to execution on targeted hosts.[1] | |
| Enterprise | T1573 | .001 | Encrypted Channel:Symmetric Cryptography | RIFLESPINE can use the AES algorithm to encrypt C2 data.[1] |
| Enterprise | T1567 | .002 | Exfiltration Over Web Service:Exfiltration to Cloud Storage | RIFLESPINE can upload results from executed C2 commands to cloud storage.[1] |
| Enterprise | T1105 | Ingress Tool Transfer | RIFLESPINE can download and execute files.[1] | |
| Enterprise | T1082 | System Information Discovery | RIFLESPINE can collect system information after installation on infected systems.[1] | |
| Enterprise | T1102 | .002 | Web Service:Bidirectional Communication | RIFLESPINE can retrieve C2 commands from an encrypted file on Google Drive then upload the results of command execution back to Google Drive.[1] |