ATT&CKcon 5.0 returns October 22-23, 2024 in McLean, VA. Register for in-person participation here. Stay tuned for virtual registration!

BUBBLEWRAP

BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. ^[1]

ID: S0043

ⓘ

Associated Software: Backdoor.APT.FakeWinHTTPHelper

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 31 May 2017

Last Modified: 30 March 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	BUBBLEWRAP can communicate using HTTP or HTTPS.^[1]
Enterprise	T1095		Non-Application Layer Protocol	BUBBLEWRAP can communicate using SOCKS.^[1]
Enterprise	T1082		System Information Discovery	BUBBLEWRAP collects system information, including the operating system version and hostname.^[1]

Groups That Use This Software

ID	Name	References
G0018	admin@338	^[1]

References

FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.

BUBBLEWRAP

Enterprise Layer

Techniques Used

Groups That Use This Software

References