Skip to content

Hide Navigation Hide TOC

ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403)

ShimRat has been used by the suspected China-based adversary Mofang in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name "ShimRat" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. (Citation: FOX-IT May 2016 Mofang)

Cluster A Galaxy A Cluster B Galaxy B Level
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 1
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 1
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 1
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 1
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466) Attack Pattern 1
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern 1
Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 1
Application Shimming - T1546.011 (42fe883a-21ea-4cfb-b94a-78b6476dcc83) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 1
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 1
ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 1
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 1
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern ShimRat - S0444 (5763217a-05b6-4edd-9bca-057e47b5e403) Malware 1
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 2
Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Application Shimming - T1546.011 (42fe883a-21ea-4cfb-b94a-78b6476dcc83) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2