{"description": "Enterprise techniques used by BOOKWORM, ATT&CK software S1226 (v1.0)", "name": "BOOKWORM (S1226)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[BOOKWORM](https://attack.mitre.org/software/S1226) has communicated with its C2 via HTTP POST requests. (Citation: Unit42 Bookworm Nov2015)(Citation: Palo Alto Networks, Unit 42)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1115", "comment": "[BOOKWORM](https://attack.mitre.org/software/S1226) has used its KBLogger.dll module to steal data saved to the clipboard. (Citation: Unit42 Bookworm Nov2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[BOOKWORM](https://attack.mitre.org/software/S1226) has created a service named `Microsoft Windows DeviceSync Service` at `HKLM\\SYSTEM\\CurrentControlSet\\Services\\DeviceSync\\` to trigger execution when the system starts and to maintain persistence. (Citation: Unit42 Bookworm Nov2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.003", "comment": "[BOOKWORM](https://attack.mitre.org/software/S1226) has modified HTTP POST requests to resemble legitimate communications.(Citation: Palo Alto Networks, Unit 42)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[BOOKWORM](https://attack.mitre.org/software/S1226) has decoded its Base64 encoded payload prior to execution.(Citation: Palo Alto Networks, Unit 42)  [BOOKWORM](https://attack.mitre.org/software/S1226) has also encrypted files with RC4 and has decrypted its payload prior to execution.(Citation: Unit42 Bookworm Nov2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[BOOKWORM](https://attack.mitre.org/software/S1226) has used encryption and compression algorithms to obfuscate the traffic between the system and C2 server, methods observed included RC4, AES, XOR with 0x5a, and LZO. (Citation: Unit42 Bookworm Nov2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[BOOKWORM](https://attack.mitre.org/software/S1226) has created a hidden window when conducting key logging and clipboard theft through its KBLogger.dll module.(Citation: Unit42 Bookworm Nov2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[BOOKWORM](https://attack.mitre.org/software/S1226) has used DLL side-loading to execute the malicious payload. (Citation: Broadcom)(Citation: Palo Alto Networks, Unit 42)  [BOOKWORM](https://attack.mitre.org/software/S1226) has also side-loaded DLL components into a legitimate process, including Microsoft Malware Protection `MsMpEng.exe` and Kaspersky Anti-Virus `ushata.exe`.(Citation: Unit42 Bookworm Nov2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[BOOKWORM](https://attack.mitre.org/software/S1226) has modified file timestamps from the export address table (EAT) to make it difficult to discern when the module was created. (Citation: Palo Alto Networks, Unit 42)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[BOOKWORM](https://attack.mitre.org/software/S1226) has used its KBLogger.dll module to capture keystrokes and stored them in a folder. (Citation: Unit42 Bookworm Nov2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[BOOKWORM](https://attack.mitre.org/software/S1226) has created services that attempt to resemble legitimate services to include a service named `Microsoft Windows DeviceSync Service`.(Citation: Unit42 Bookworm Nov2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[BOOKWORM](https://attack.mitre.org/software/S1226) has modified Registry key values as part of its created service `DeviceSync`. (Citation: Unit42 Bookworm Nov2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[BOOKWORM](https://attack.mitre.org/software/S1226) has used various Windows API calls during execution and defense evasion.(Citation: Broadcom) (Citation: Palo Alto Networks, Unit 42) [BOOKWORM](https://attack.mitre.org/software/S1226) has created a buffer on the heap using `HeapCreate` and `HeapAlloc` which allows for copying of shell code and then execution on the heap is initiated through callback function of legitimate API functions such as `EnumChildWindows` or `EnumSystemLanguageGroupsA`. (Citation: Palo Alto Networks, Unit 42)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[BOOKWORM](https://attack.mitre.org/software/S1226) has been delivered using self-extracting RAR archives.(Citation: Unit42 Bookworm Nov2015)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[BOOKWORM](https://attack.mitre.org/software/S1226) has utilized Base64 encoding to obfuscate its payload.(Citation: Palo Alto Networks, Unit 42)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[BOOKWORM](https://attack.mitre.org/software/S1226) has used valid legitimate digital signatures and certificates to evade detection. (Citation: Unit42 Bookworm Nov2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1033", "comment": "[BOOKWORM](https://attack.mitre.org/software/S1226) has obtained the username from an infected host. (Citation: Unit42 Bookworm Nov2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by BOOKWORM", "color": "#66b1ff"}]}