The “Hikit” rootkit: advanced and persistent attack techniques (part 1)

From Botnets.fr
Jump to: navigation, search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

The “Hikit” rootkit: advanced and persistent attack techniques (part 1)
Botnet Hikit
Malware
Botnet/malware group
Exploit kits
Services
Feature Rootkit
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / 2012-08-20
Editor/Conference Mandiant
Link https://blog.mandiant.com/archives/3155 blog.mandiant.com (blog.mandiant.com Archive copy)
Author Ryan Kazanciyan, Christopher Glyer
Type

Abstract

We first encountered this malware during a sweep of thousands of systems in a victim environment for Indicators of Compromise (IOCs), using our Mandiant Intelligent Response (MIR) platform. The attacker already had administrator privileges to the entire corporate Windows domain and had compromised numerous systems. Fortunately, we had several indicators gathered during the onset of the investigation that we could use during initial MIR sweeps. For instance, we knew they were fond of using the old-but-reliable“sticky keys” technique, whereby “sethc.exe” is overwritten with a copy of “cmd.exe” to provide unauthenticated access during RDP logon. (Carnal0wnage’s blog has a nice succinct write-up of this attack here.)

Bibtex

 @misc{Kazanciyan2012BFR1129,
   editor = {Mandiant},
   author = {Ryan Kazanciyan, Christopher Glyer},
   title = {The “Hikit” rootkit: advanced and persistent attack techniques (part 1)},
   date = {20},
   month = Aug,
   year = {2012},
   howpublished = {\url{https://blog.mandiant.com/archives/3155 blog.mandiant.com}},
 }