{"description": "Enterprise techniques used by BADNEWS, ATT&CK software S0128 (v1.2)", "name": "BADNEWS (S0128)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[BADNEWS](https://attack.mitre.org/software/S0128) establishes a backdoor over HTTP.(Citation: PaloAlto Patchwork Mar 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[BADNEWS](https://attack.mitre.org/software/S0128) monitors USB devices and copies files with certain extensions to a predefined directory.(Citation: TrendMicro Patchwork Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[BADNEWS](https://attack.mitre.org/software/S0128) installs a registry Run key to establish persistence.(Citation: Forcepoint Monsoon)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[BADNEWS](https://attack.mitre.org/software/S0128) is capable of executing commands via cmd.exe.(Citation: Forcepoint Monsoon)(Citation: TrendMicro Patchwork Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "comment": "After encrypting C2 data, [BADNEWS](https://attack.mitre.org/software/S0128) converts it into a hexadecimal representation and then encodes it into base64.(Citation: Forcepoint Monsoon)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[BADNEWS](https://attack.mitre.org/software/S0128) encodes C2 traffic with base64.(Citation: Forcepoint Monsoon)(Citation: PaloAlto Patchwork Mar 2018)(Citation: TrendMicro Patchwork Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "When it first starts, [BADNEWS](https://attack.mitre.org/software/S0128) crawls the victim's local drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.(Citation: Forcepoint Monsoon)(Citation: PaloAlto Patchwork Mar 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1039", "comment": "When it first starts, [BADNEWS](https://attack.mitre.org/software/S0128) crawls the victim's mapped drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.(Citation: Forcepoint Monsoon)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1025", "comment": "[BADNEWS](https://attack.mitre.org/software/S0128) copies files with certain extensions from USB devices to\na predefined directory.(Citation: TrendMicro Patchwork Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[BADNEWS](https://attack.mitre.org/software/S0128) copies documents under 15MB found on the victim system to is the user's %temp%\\SMB\\ folder. It also copies files from USB devices to a predefined directory.(Citation: Forcepoint Monsoon)(Citation: TrendMicro Patchwork Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[BADNEWS](https://attack.mitre.org/software/S0128) encrypts C2 data with a ROR by 3 and an XOR by 0x23.(Citation: Forcepoint Monsoon)(Citation: TrendMicro Patchwork Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[BADNEWS](https://attack.mitre.org/software/S0128) identifies files with certain extensions from USB devices, then copies them to a predefined directory.(Citation: TrendMicro Patchwork Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[BADNEWS](https://attack.mitre.org/software/S0128) typically loads its DLL file into a legitimate signed Java or VMware executable.(Citation: Forcepoint Monsoon)(Citation: PaloAlto Patchwork Mar 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[BADNEWS](https://attack.mitre.org/software/S0128) is capable of downloading additional files through C2 channels, including a new version of itself.(Citation: Forcepoint Monsoon)(Citation: PaloAlto Patchwork Mar 2018)(Citation: TrendMicro Patchwork Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "When it first starts, [BADNEWS](https://attack.mitre.org/software/S0128) spawns a new thread to log keystrokes.(Citation: Forcepoint Monsoon)(Citation: PaloAlto Patchwork Mar 2018)(Citation: TrendMicro Patchwork Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.001", "comment": "[BADNEWS](https://attack.mitre.org/software/S0128) is sometimes signed with an invalid Authenticode certificate in an apparent effort to make it look more legitimate.(Citation: TrendMicro Patchwork Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[BADNEWS](https://attack.mitre.org/software/S0128) attempts to hide its payloads using legitimate filenames.(Citation: PaloAlto Patchwork Mar 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[BADNEWS](https://attack.mitre.org/software/S0128) has a command to download an .exe and execute it via CreateProcess API. It can also run with ShellExecute.(Citation: Forcepoint Monsoon)(Citation: TrendMicro Patchwork Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1120", "comment": "[BADNEWS](https://attack.mitre.org/software/S0128) checks for new hard drives on the victim, such as USB devices, by listening for the WM_DEVICECHANGE window message.(Citation: Forcepoint Monsoon)(Citation: TrendMicro Patchwork Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[BADNEWS](https://attack.mitre.org/software/S0128) has a command to download an .exe and use process hollowing to inject it into a new process.(Citation: Forcepoint Monsoon)(Citation: TrendMicro Patchwork Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[BADNEWS](https://attack.mitre.org/software/S0128) creates a scheduled task to establish by executing a malicious payload every subsequent minute.(Citation: PaloAlto Patchwork Mar 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[BADNEWS](https://attack.mitre.org/software/S0128) has a command to take a screenshot and send it to the C2 server.(Citation: Forcepoint Monsoon)(Citation: PaloAlto Patchwork Mar 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.001", "comment": "[BADNEWS](https://attack.mitre.org/software/S0128) collects C2 information via a dead drop resolver.(Citation: Forcepoint Monsoon)(Citation: PaloAlto Patchwork Mar 2018)(Citation: TrendMicro Patchwork Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[BADNEWS](https://attack.mitre.org/software/S0128) can use multiple C2 channels, including RSS feeds, Github, forums, and blogs.(Citation: Forcepoint Monsoon)(Citation: PaloAlto Patchwork Mar 2018)(Citation: TrendMicro Patchwork Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by BADNEWS", "color": "#66b1ff"}]}