ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool sctrls

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: sctrls

Namessctrls
CategoryMalware
TypeReconnaissance, Backdoor, Downloader
Description(Trend Micro) The sctrls backdoor has these functions:
• Compute the unique identifier (hash) from the username and computer name.
• Register a new user on the C&C server; this registration creates a new folder with hash name (<some_name>.php?b=<hash>).
• Read contents of the folder with the hash name from the C&C server, then download and run executables from that particular folder.

The malware operators can then upload binaries of shells or file stealers that will be executed into the respective folders. The directories of their C&C server were unsecured, and we were able to access all their registered victims (hashes) - numbering around 50 - as well as the other backdoors and file stealers in their employ.
Information<https://documents.trendmicro.com/assets/research-deciphering-confucius-cyberespionage-operations.pdf>

Last change to this tool card: 20 April 2020

Download this tool card in JSON format

Previous: Screenshotter
Next: SDBbot

All groups using tool sctrls

ChangedNameCountryObserved

APT groups

 ConfuciusIndia2013-May 2018 

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key