ATT&CKcon 5.0 returns October 22-23, 2024 in McLean, VA. Register for in-person participation here. Stay tuned for virtual registration!

Comnie

Comnie is a remote backdoor which has been used in attacks in East Asia. ^[1]

ID: S0244

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 17 October 2018

Last Modified: 30 March 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1087	.001	Account Discovery: Local Account	Comnie uses the `net user` command.^[1]
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Comnie uses HTTP for C2 communication.^[1]
Enterprise	T1119		Automated Collection	Comnie executes a batch script to store discovery information in %TEMP%\info.dat and then uploads the temporarily file to the remote C2 server.^[1]
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Comnie achieves persistence by adding a shortcut of itself to the startup path in the Registry.^[1]
		.009	Boot or Logon Autostart Execution: Shortcut Modification	Comnie establishes persistence via a .lnk file in the victim’s startup path.^[1]
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	Comnie executes BAT scripts.^[1]
		.005	Command and Scripting Interpreter: Visual Basic	Comnie executes VBS scripts.^[1]
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	Comnie encrypts command and control communications with RC4.^[1]
Enterprise	T1027		Obfuscated Files or Information	Comnie uses RC4 and Base64 to obfuscate strings.^[1]
		.001	Binary Padding	Comnie appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk.^[1]
Enterprise	T1057		Process Discovery	Comnie uses the `tasklist` to view running processes on the victim’s machine.^[1]
Enterprise	T1018		Remote System Discovery	Comnie runs the `net view` command
Enterprise	T1518	.001	Software Discovery: Security Software Discovery	Comnie attempts to detect several anti-virus products.^[1]
Enterprise	T1218	.011	System Binary Proxy Execution: Rundll32	Comnie uses Rundll32 to load a malicious DLL.^[1]
Enterprise	T1082		System Information Discovery	Comnie collects the hostname of the victim machine.^[1]
Enterprise	T1016		System Network Configuration Discovery	Comnie uses `ipconfig /all` and `route PRINT` to identify network adapter and interface information.^[1]
Enterprise	T1049		System Network Connections Discovery	Comnie executes the `netstat -ano` command.^[1]
Enterprise	T1007		System Service Discovery	Comnie runs the command: `net start >> %TEMP%\info.dat` on a victim.^[1]
Enterprise	T1102	.002	Web Service: Bidirectional Communication	Comnie uses blogs and third-party sites (GitHub, tumbler, and BlogSpot) to avoid DNS-based blocking of their communication to the command and control server.^[1]

References

Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.