Openhunting Threat Library

X-Agent

X-Agent, Xagent, Popr-d30, SPLM, CHOPSTICK, fysbis, Backdoor.SofacyX, webhp
(Type: Backdoor, Keylogger, Info stealer, Tunneling)

CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. It is tracked separately from the X-Agent for Android.

[News Analysis] Trends:

Total Trend: 23

Trend Per Year
2
2014
3
2015
4
2016
8
2017
2
2018
4
2020


Trend Per Month
1
2014
1
Sep 2014
1
Feb 2015
2
Dec 2015
2
Feb 2016
1
Jun 2016
1
Oct 2016
2
Jan 2017
3
Feb 2017
2
Mar 2017
1
Dec 2017
2
Oct 2018
1
2020
1
Feb 2020
1
Jul 2020
1
Sep 2020



[News Analysis] News Mention Another Threat Name:

7 - Cloud Snooper66 - Dacls7 - DoubleFantasy7 - MESSAGETAP22 - Penquin Turla7 - Tsunami22 - elf.wellmess79 - X-Agent18 - PhantomLance62 - AppleJeus18 - AcidBox62 - Cobalt Strike18 - EternalPetya18 - Godlike1218 - Olympic Destroyer18 - PlugX18 - shadowhammer18 - ShadowPad18 - Sinowal18 - VHD Ransomware62 - Volgmer18 - WellMess31 - XTunnel48 - Chrysaor48 - Exodus48 - VPNFilter48 - DNSRat48 - Griffon48 - KopiLuwak48 - More_eggs48 - SQLRat48 - BONDUPDATER48 - Agent.BTZ48 - Anchor48 - AndroMut48 - BOOSTWRITE48 - Brambul48 - Carbanak48 - DistTrack48 - DNSpionage48 - Dtrack48 - ELECTRICFISH48 - FlawedAmmyy48 - FlawedGrace48 - Get248 - Grateful POS48 - HOPLIGHT48 - Imminent Monitor RAT48 - jason48 - Joanap48 - KerrDown48 - KEYMARBLE48 - Lambert48 - LightNeuron51 - LoJax48 - MiniDuke48 - PolyglotDuke48 - PowerRatankba48 - Rising Sun48 - SDBbot48 - ServHelper48 - Snatch48 - Stuxnet48 - TinyMet48 - tRat48 - TrickBot55 - Zebrocy7 - Computrace11 - HideDRV13 - Sedreco15 - Seduploader7 - Zebrocy (AutoIT)9 - APT288 - Komplex10 - Coreshell8 - Downdelph10 - SEADADDY4 - OLDBAIT5 - ATI-Agent1 - XP PrivEsc (CVE-2014-4076)


[TTP Analysis] Technique Performance:

reconnaissance
0/43
resource development
0/45
initial access
1/19
execution
1/36
persistence
0/113
privilege escalation
0/96
defense evasion
3/184
credential access
1/63
discovery
4/44
lateral movement
1/22
collection
2/37
command and control
9/39
exfiltration
0/18
impact
0/26


[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1091
Replication Through Removable Media
T1059
Command And Scripting Interpreter
T1112
Modify Registry
T1027.011
Obfuscated Files Or Information : Fileless Storage
T1497
Virtualization/sandbox Evasion
T1056.001
Input Capture : Keylogging
T1083
File And Directory Discovery
T1012
Query Registry
T1518.001
Software Discovery : Security Software Discovery
T1497
Virtualization/sandbox Evasion
T1091
Replication Through Removable Media
T1056.001
Input Capture : Keylogging
T1113
Screen Capture
T1071.001
Application Layer Protocol : Web Protocols
T1071.003
Application Layer Protocol : Mail Protocols
T1092
Communication Through Removable Media
T1568.002
Dynamic Resolution : Domain Generation Algorithms
T1573.001
Encrypted Channel : Symmetric Cryptography
T1573.002
Encrypted Channel : Asymmetric Cryptography
T1008
Fallback Channels
T1105
Ingress Tool Transfer
T1090.001
Proxy : Internal Proxy


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

An overview of targeted attacks and APTs on Linux

2020-09-10 by GReAT from Kaspersky Labs

APT trends report Q2 2020

2020-07-29 by GReAT from Kaspersky Labs

APT Report 2019

2020-02-13 by Qi Anxin Threat Intelligence Center from Qianxin

IRON TWILIGHT

2020 by SecureWorks from Secureworks

APT28: New Espionage Operations Target Military and Government Organizations

2018-10-04 by Critical Attack Discovery and Intelligence Team from Symantec

Indicators of Compromise for Malware used by APT28

2018-10-04 by NCSC UK from NCSC UK

Sednit update: How Fancy Bear Spent the Year

2017-12-21 by ESET Research from ESET Research

Tweet on XAgent for macOS

2017-03-23 by PhysicalDrive0 from Twitter (PhysicalDrive0)

Update on the Fancy Bear Android malware (poprd30.apk)

2017-03-02 by Boldizsar Bencsath from Laboratory of Cryptography and System Security

Dissecting the APT28 Mac OS X Payload

2017-02-21 by Bitdefender from Bitdefender

Part I. Russian APT - APT28 collection of samples including OSX XAgent

2017-02-20 by Mila Parkour from Contagio Dump

XAgentOSX: Sofacy’s XAgent macOS Tool

2017-02-14 by Robert Falcone from Palo Alto Networks Unit 42

APT28: At The Center Of The Storm

2017-01-10 by FireEye iSIGHT Intelligence from FireEye

Technical details on the Fancy Bear Android malware (poprd30.apk)

2017-01-03 by Boldizsar Bencsath from CrySyS Lab

En Route with Sednit Part 2: Observing the Comings and Goings

2016-10-20 by ESET Research from ESET Research

Bears in the Midst: Intrusion into the Democratic National Committee

2016-06-15 by Dmitri Alperovitch from CrowdStrike

A Look Into Fysbis: Sofacy’s Linux Backdoor

2016-02-12 by Bryan Lee from Palo Alto Networks Unit 42

A Look Into Fysbis: Sofacy’s Linux Backdoor

2016-02-12 by Bryan Lee from Palo Alto Networks Unit 42

APT28 Under the Scope: A Journey into Exfiltrating Intelligence and Government Information

2015-12-17 by Bitdefender from Bitdefender

Sofacy APT hits high profile targets with updated toolset

2015-12-04 by GReAT from Kaspersky Labs

Pawn Storm Update: iOS Espionage App Found

2015-02-04 by Lambert Sun from Trend Micro

Peering Into the Aquarium: Analysis of a Sophisticated Multi-Stage Malware Family

2014-09-05 by Neel Mehta from Google

APT28

2014 by FireEye from FireEye

Basic Information (Credit @etda.or.th)

Tool: X-Agent

Names: X-Agent, Xagent, Popr-d30, SPLM, CHOPSTICK, fysbis, Backdoor.SofacyX, webhp

Description: CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. It is tracked separately from the X-Agent for Android.

Category: Malware

Type: Backdoor, Keylogger, Info stealer, Tunneling

Information: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf

Information: http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/

Information: http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/

Information: https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html

Information: https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf

Information: http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf

Information: https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/

Information: https://www.thecssc.com/wp-content/uploads/2018/10/4OctoberIOC-APT28-malware-advisory.pdf

Information: http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf

Information: https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

Information: http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf

Mitre-attack: https://attack.mitre.org/software/S0023/

Mitre-attack: https://attack.mitre.org/software/S0410/

Mitre-attack: https://attack.mitre.org/software/S0161/

Mitre-attack: https://attack.mitre.org/software/S0314/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/apk.popr-d30

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/elf.xagent

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/osx.xagent

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent

Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:X-Agent

Last-card-change: 2022-12-30

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

Indicators of Compromise (Credit @ThreatFox)

MD5_HASH
  • c75ffcb1a96a4aa0700af898650aac12
  • c0ca0af1f0f646e52dc05af024693b6f
  • 540e4a7a28ca1514e53c2564993d8d87

TTP Info (Credit @Mitre)

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1091
REPLICATION THROUGH REMOVABLE MEDIA
part of apt28's operation involved using chopstick modules to copy itself to air-gapped machines and using files written to usb sticks to transfer data and command traffic.
T1059
COMMAND AND SCRIPTING INTERPRETER
chopstick is capable of performing remote command execution.
T1112
MODIFY REGISTRY
chopstick may modify registry keys to store rc4 encrypted configuration information.
T1027.011
OBFUSCATED FILES OR INFORMATION : FILELESS STORAGE
chopstick may store rc4 encrypted configuration information in the windows registry.
T1497
VIRTUALIZATION/SANDBOX EVASION
chopstick includes runtime checks to identify an analysis environment and prevent execution on it.
T1056.001
INPUT CAPTURE : KEYLOGGING
chopstick is capable of performing keylogging.
T1083
FILE AND DIRECTORY DISCOVERY
an older version of chopstick has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.
T1012
QUERY REGISTRY
chopstick provides access to the windows registry, which can be used to gather information.
T1518.001
SOFTWARE DISCOVERY : SECURITY SOFTWARE DISCOVERY
chopstick checks for antivirus and forensics software.
T1497
VIRTUALIZATION/SANDBOX EVASION
chopstick includes runtime checks to identify an analysis environment and prevent execution on it.
T1091
REPLICATION THROUGH REMOVABLE MEDIA
part of apt28's operation involved using chopstick modules to copy itself to air-gapped machines and using files written to usb sticks to transfer data and command traffic.
T1056.001
INPUT CAPTURE : KEYLOGGING
chopstick is capable of performing keylogging.
T1113
SCREEN CAPTURE
chopstick has the capability to capture screenshots.
T1071.001
APPLICATION LAYER PROTOCOL : WEB PROTOCOLS
various implementations of chopstick communicate with c2 over http.
T1071.003
APPLICATION LAYER PROTOCOL : MAIL PROTOCOLS
various implementations of chopstick communicate with c2 over smtp and pop3.
T1092
COMMUNICATION THROUGH REMOVABLE MEDIA
part of apt28's operation involved using chopstick modules to copy itself to air-gapped machines, using files written to usb sticks to transfer data and command traffic.
T1568.002
DYNAMIC RESOLUTION : DOMAIN GENERATION ALGORITHMS
chopstick can use a dga for fallback channels, domains are generated by concatenating words from lists.
T1573.001
ENCRYPTED CHANNEL : SYMMETRIC CRYPTOGRAPHY
chopstick encrypts c2 communications with rc4.
T1573.002
ENCRYPTED CHANNEL : ASYMMETRIC CRYPTOGRAPHY
chopstick encrypts c2 communications with tls.
T1008
FALLBACK CHANNELS
chopstick can switch to a new c2 channel if the current one is broken.
T1105
INGRESS TOOL TRANSFER
chopstick is capable of performing remote file transmission.
T1090.001
PROXY : INTERNAL PROXY
chopstick used a proxy server between victims and the c2 server.