GrimAgent
GrimAgent is a backdoor that has been used before the deployment of Ryuk ransomware since at least 2020; it is likely used by FIN6 and Wizard Spider.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
GrimAgent has the ability to use HTTP for C2 communications.[1] |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
GrimAgent can use the Windows Command Shell to execute commands, including its own removal.[1] |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding | |
| Enterprise | T1005 | Data from Local System |
GrimAgent can collect data and files from a compromised host.[1] |
|
| Enterprise | T1001 | .001 | Data Obfuscation: Junk Data |
GrimAgent can pad C2 messages with random generated values.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
GrimAgent can use a decryption algorithm for strings based on Rotate on Right (RoR) and Rotate on Left (RoL) functionality.[1] |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
GrimAgent can use an AES key to encrypt C2 communications.[1] |
| .002 | Encrypted Channel: Asymmetric Cryptography |
GrimAgent can use a hardcoded server public RSA key to encrypt the first request to C2.[1] |
||
| Enterprise | T1041 | Exfiltration Over C2 Channel |
GrimAgent has sent data related to a compromise host over its C2 channel.[1] |
|
| Enterprise | T1083 | File and Directory Discovery |
GrimAgent has the ability to enumerate files and directories on a compromised host.[1] |
|
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion | |
| .009 | Indicator Removal: Clear Persistence |
GrimAgent can delete previously created tasks on a compromised host.[1] |
||
| Enterprise | T1105 | Ingress Tool Transfer |
GrimAgent has the ability to download and execute additional payloads.[1] |
|
| Enterprise | T1106 | Native API |
GrimAgent can use Native API including |
|
| Enterprise | T1027 | Obfuscated Files or Information |
GrimAgent has used Rotate on Right (RoR) and Rotate on Left (RoL) functionality to encrypt strings.[1] |
|
| .001 | Binary Padding |
GrimAgent has the ability to add bytes to change the file hash.[1] |
||
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
GrimAgent has the ability to set persistence using the Task Scheduler.[1] |
| Enterprise | T1082 | System Information Discovery |
GrimAgent can collect the OS, and build version on a compromised host.[1] |
|
| Enterprise | T1614 | System Location Discovery |
GrimAgent can identify the country code on a compromised host.[1] |
|
| .001 | System Language Discovery |
GrimAgent has used |
||
| Enterprise | T1016 | System Network Configuration Discovery |
GrimAgent can enumerate the IP and domain of a target system.[1] |
|
| Enterprise | T1033 | System Owner/User Discovery | ||
| Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
GrimAgent can sleep for 195 - 205 seconds after payload execution and before deleting its task.[1] |