ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool SocksBot

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: SocksBot

NamesSocksBot
BIRDDOG
Nadrac
CategoryMalware
TypeReconnaissance, Backdoor, Info stealer, Exfiltration, Downloader, Loader
Description(Accenture) The SOCKSBOT implant has the following capabilities:
• Enumerate processes (process list)
• Take screenshots
• Download, upload, write, and execute files
• Create and inject into new processes
• Communicate to C2 via sockets.

This implant will communicate with the designated C2 server by first creating a buffer and will, on first execution, communicate to the C2 server that it has successfully infected a target by using a .php URI that is pseudo-randomly generated. SOCKSBOT uses the ObtainUserAgentString API to determine the default user-agent of the machine.
Information<https://www.accenture.com/_acnmedia/pdf-83/accenture-goldfin-security-alert.pdf>
<https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html>
<https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf>
MITRE ATT&CK<https://attack.mitre.org/software/S0273/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.socksbot>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:socksbot>

Last change to this tool card: 14 May 2020

Download this tool card in JSON format

All groups using tool SocksBot

ChangedNameCountryObserved

APT groups

 Carbanak, AnunakUkraine2013-Aug 2018X
 Patchwork, Dropping ElephantIndia2013-Mar 2018 

2 groups listed (2 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key