Open Hunting - Threat Library

Openhunting Threat Library

TrailBlazer

(Type: Backdoor)

(CrowdStrike) TrailBlazer is a sophisticated malware family that provides modular functionality and a very low prevalence. The malware shares high-level functionality with other malware families. In particular, the use of random identifier strings for C2 operations and result codes, and attempts to hide C2 communications in seemingly legitimate web traffic, were previously observed tactics, techniques and procedures (TTPs) in {{GoldMax}} and {{SUNBURST}}.

[News Analysis] Trends:

Total Trend: 0

Trend Per Year

Trend Per Month

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

reconnaissance

0/43

resource development

0/45

initial access

0/19

execution

0/36

persistence

1/113

privilege escalation

1/96

defense evasion

1/184

credential access

0/63

discovery

0/44

lateral movement

0/22

collection

0/37

command and control

3/39

exfiltration

0/18

impact

0/26

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
				T1546.003 Event Triggered Execution : Windows Management Instrumentation Event Subscription	T1546.003 Event Triggered Execution : Windows Management Instrumentation Event Subscription	T1036 Masquerading					T1071.001 Application Layer Protocol : Web Protocols T1001 Data Obfuscation T1001.001 Data Obfuscation : Junk Data

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

Basic Information (Credit @etda.or.th)

Tool: TrailBlazer

Names: TrailBlazer

Description: (CrowdStrike) TrailBlazer is a sophisticated malware family that provides modular functionality and a very low prevalence. The malware shares high-level functionality with other malware families. In particular, the use of random identifier strings for C2 operations and result codes, and attempts to hide C2 communications in seemingly legitimate web traffic, were previously observed tactics, techniques and procedures (TTPs) in {{GoldMax}} and {{SUNBURST}}.

Category: Malware

Type: Backdoor

Information: https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/

Mitre-attack: https://attack.mitre.org/software/S0682/

Last-card-change: 2022-12-30

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
				T1546.003 EVENT TRIGGERED EXECUTION : WINDOWS MANAGEMENT INSTRUMENTATION EVENT SUBSCRIPTION trailblazer has the ability to use wmi for persistence.	T1546.003 EVENT TRIGGERED EXECUTION : WINDOWS MANAGEMENT INSTRUMENTATION EVENT SUBSCRIPTION trailblazer has the ability to use wmi for persistence.	T1036 MASQUERADING trailblazer has used filenames that match the name of the compromised system in attempt to avoid detection.					T1071.001 APPLICATION LAYER PROTOCOL : WEB PROTOCOLS trailblazer has used http requests for c2. T1001 DATA OBFUSCATION trailblazer can masquerade its c2 traffic as legitimate google notifications http requests. T1001.001 DATA OBFUSCATION : JUNK DATA trailblazer has used random identifier strings to obscure its c2 operations and result codes.