Backdoor.Oldrea - S0093 (083bb47b-02c8-4423-81a2-f9ef58572974)

Backdoor.Oldrea is a modular backdoor that used by Dragonfly against energy companies since at least 2013. Backdoor.Oldrea was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)(Citation: Symantec Dragonfly Sept 2017)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Backdoor.Oldrea - S0093 (083bb47b-02c8-4423-81a2-f9ef58572974)	Malware	1
Backdoor.Oldrea - S0093 (083bb47b-02c8-4423-81a2-f9ef58572974)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	1
Backdoor.Oldrea - S0093 (083bb47b-02c8-4423-81a2-f9ef58572974)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	1
Backdoor.Oldrea - S0093 (083bb47b-02c8-4423-81a2-f9ef58572974)	Malware	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	1
Backdoor.Oldrea - S0093 (083bb47b-02c8-4423-81a2-f9ef58572974)	Malware	Email Account - T1087.003 (4bc31b94-045b-4752-8920-aebaebdb6470)	Attack Pattern	1
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Backdoor.Oldrea - S0093 (083bb47b-02c8-4423-81a2-f9ef58572974)	Malware	1
Backdoor.Oldrea - S0093 (083bb47b-02c8-4423-81a2-f9ef58572974)	Malware	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	1
Backdoor.Oldrea - S0093 (083bb47b-02c8-4423-81a2-f9ef58572974)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	1
Backdoor.Oldrea - S0093 (083bb47b-02c8-4423-81a2-f9ef58572974)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
Backdoor.Oldrea - S0093 (083bb47b-02c8-4423-81a2-f9ef58572974)	Malware	Havex RAT (d7183f66-59ec-4803-be20-237b442259fc)	Tool	1
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Backdoor.Oldrea - S0093 (083bb47b-02c8-4423-81a2-f9ef58572974)	Malware	1
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Backdoor.Oldrea - S0093 (083bb47b-02c8-4423-81a2-f9ef58572974)	Malware	1
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	Backdoor.Oldrea - S0093 (083bb47b-02c8-4423-81a2-f9ef58572974)	Malware	1
Backdoor.Oldrea - S0093 (083bb47b-02c8-4423-81a2-f9ef58572974)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	1
Backdoor.Oldrea - S0093 (083bb47b-02c8-4423-81a2-f9ef58572974)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	1
Backdoor.Oldrea - S0093 (083bb47b-02c8-4423-81a2-f9ef58572974)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	1
Backdoor.Oldrea - S0093 (083bb47b-02c8-4423-81a2-f9ef58572974)	Malware	Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	2
Email Account - T1087.003 (4bc31b94-045b-4752-8920-aebaebdb6470)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	2
Havex RAT (c04fc02e-f35a-44b6-a9b0-732bf2fc551a)	Malpedia	Havex RAT (d7183f66-59ec-4803-be20-237b442259fc)	Tool	2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2