Tanglecrypt

MITRE Techniques

• [T1027 ] Obfuscated Files or Information – The packer hides the payload using multiple layers of encoding/compression/encryption (‘…The payload is stored inside the PE Resources via multiple layers of base64 encoding, LZ78 compression and XOR encryption…’).
• [T1027.002 ] Software Packing – TangleCrypt implements a custom packing scheme that places the original executable in PE resources and reduces entropy with encrypted NULL regions (‘…the original executable is encrypted inside an entry of the PE resources in the ‘.rsrc’ section…’).
• [T1055 ] Process Injection – The loader supports executing the payload either in the same process or by creating a child process and writing the decrypted payload into it using CreateProcessW, WriteProcessMemory and ResumeThread (‘…starts a child process where the decrypted payload is written to… CreateProcessW, WriteProcessMemory and ResumeThread’).
• [T1548.002 ] Bypass User Account Control – STONESTOP checks for elevated privileges and restarts itself to run with admin rights, triggering a UAC prompt if needed (‘…If not, it will restart itself to run with admin rights, which triggers a UAC prompt by default.’).
• [T1562.001 ] Disable or Modify Tools (Impair Defenses) – The STONESTOP payload registers and uses the ABYSSWORKER driver to terminate listed security processes and optionally delete files in hard-coded directories (‘…uses the driver to terminate all running processes matching an item in this list… All files in these directories will be recursively deleted by the driver.’).
• [T1215 ] Kernel Modules and Extensions – The attack deploys and registers a malicious kernel driver (ABYSSWORKER / POORTRY / BURNTCIGAR) to perform privileged operations against security products (‘…it registers the ABYSSWORKER driver in Windows. The executable assumes that the SYS file is present in the same directory. Then it tries to load and initialize the driver.’).