Tag: T1082

Tactic: Initial Access (TA0001)

Technique: Exploit Public-Facing Application (T1190)

Procedure: Exploit vulnerabilities (ODAY and NDAY) in public-facing PHP applications to gain initial access to the server.

Tactic: Initial Access (TA0001)

Technique: Valid Accounts (T1078)

Procedure: Leverage weak password brute-forcing techniques to compromise valid accounts and gain unauthorized access.

Tactic: Initial Access (TA0001)

Technique: Supply Chain Compromise (T1195)

Procedure: Distribute pre-compromised business systems embedded with the 10ader_shell backdoor through cybercrime source code forums.

Tactic: Execution (TA0002)

Technique: Command and Scripting Interpreter: PHP (T1059.004)

Procedure: Execute malicious PHP code (task_loader, init_task, client_loader, etc.) within the web application environment to carry out various malicious activities.

Tactic: Persistence (TA0003)

Technique: Server Software Component: Web Shell (T1505.003)

Procedure: Inject web shells (10ader_shell) into PHP files to maintain persistence on the compromised server.

Tactic: Persistence (TA0003)

Technique: Create or Modify System Process: Launch Daemon (T1543.003)

Procedure: Install the Winnti backdoor as a daemon process by modifying the /etc/init.d/network file.

Tactic: Command and Control (TA0011)

Technique: Application Layer Protocol: Web Protocols (T1071.001): HTTP

Procedure: Establish an HTTP-based C2 channel for communication with the C2 server (v6.thinkphp1.com, v20.thinkphp1.com) and retrieve additional payloads.

Tactic: Command and Control (TA0011)

Technique: Application Layer Protocol: Web Protocols (T1071.001): UDP

Procedure: Utilize UDP for C2 communication with the PHP backdoor, enabling command execution and data exfiltration.

Tactic: Defense Evasion (TA0005)

Technique: Obfuscated Files or Information (T1027)

Procedure: Employ obfuscation techniques in later stages of the attack (e.g., obfuscating the 10ader function code in client_loader) to hinder analysis and detection.

Tactic: Collection (TA0009)

Technique: System Information Discovery (T1082)

Procedure: Collect system information, including OS version, PHP version, and sensitive data from Baota panels, to gain situational awareness and identify valuable targets.

Tactic: Exfiltration (TA0010)

Technique: Exfiltration Over C2 Channel (T1041)

Procedure: Exfiltrate collected data over HTTP and UDP C2 channels to attacker-controlled servers.