(Carbon Black) ANEL (also referred to as UpperCut) is a RAT program used by APT10 and observed in Japan uniquely. According to SecureWorks, all ANEL samples whose version is 5.3.0 or later are obfuscated with opaque predicates and control flow flattening.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2020 by SecureWorks from Secureworks
2019-10-24 by Takahiro Haruyama from Carbon Black
2019-04-01 by Macnica Networks from Macnica Networks
2018-10-01 by Macnica Networks from Macnica Networks
2018-03-29 by Tamada Kiyotaka from Trend Micro
Tool: Anel
Names: Anel, lena, UpperCut
Description: (Carbon Black) ANEL (also referred to as UpperCut) is a RAT program used by APT10 and observed in Japan uniquely. According to SecureWorks, all ANEL samples whose version is 5.3.0 or later are obfuscated with opaque predicates and control flow flattening.
Category: Malware
Type: Backdoor
Information: https://www.carbonblack.com/2019/02/25/defeating-compiler-level-obfuscations-used-in-apt10-malware/
Information: https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/
Mitre-attack: https://attack.mitre.org/software/S0275/
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.anel
Last-card-change: 2022-12-28
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1059.003 COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL uppercut uses cmd.exe to execute commands on the victim’s machine. | T1083 FILE AND DIRECTORY DISCOVERY uppercut has the capability to gather the victim's current directory. T1082 SYSTEM INFORMATION DISCOVERY uppercut has the capability to gather the system’s hostname and os version. T1016 SYSTEM NETWORK CONFIGURATION DISCOVERY uppercut has the capability to gather the victim's proxy information. T1033 SYSTEM OWNER/USER DISCOVERY uppercut has the capability to collect the current logged on user’s username from a machine. T1124 SYSTEM TIME DISCOVERY uppercut has the capability to obtain the time zone information and current timestamp of the victim’s machine. | T1113 SCREEN CAPTURE uppercut can capture desktop screenshots in the png format and send them to the c2 server. | T1071.001 APPLICATION LAYER PROTOCOL : WEB PROTOCOLS uppercut has used http for c2, including sending error codes in cookie headers. T1573.001 ENCRYPTED CHANNEL : SYMMETRIC CRYPTOGRAPHY some versions of uppercut have used the hard-coded string "this is the encrypt key" for blowfish encryption when communicating with a c2. later versions have hard-coded keys uniquely for each c2 address. |