SslMM

SslMM is a full-featured backdoor used by Naikon that has multiple variants. [1]

ID: S0058
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 18 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation

SslMM contains a feature to manipulate process privileges and tokens.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an "Office Start," "Yahoo Talk," "MSN Gaming Z0ne," or "MSN Talk" shortcut.[1]

.009 Boot or Logon Autostart Execution: Shortcut Modification

To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an "Office Start," "Yahoo Talk," "MSN Gaming Z0ne," or "MSN Talk" shortcut.[1]

Enterprise T1008 Fallback Channels

SslMM has a hard-coded primary and backup C2 string.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

SslMM identifies and kills anti-malware processes.[1]

Enterprise T1056 .001 Input Capture: Keylogging

SslMM creates a new thread implementing a keylogging facility using Windows Keyboard Accelerators.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an "Office Start," "Yahoo Talk," "MSN Gaming Z0ne," or "MSN Talk" shortcut.[1]

Enterprise T1082 System Information Discovery

SslMM sends information to its hard-coded C2, including OS version, service pack information, processor speed, system name, and OS install date.[1]

Enterprise T1033 System Owner/User Discovery

SslMM sends the logged-on username to its hard-coded C2.[1]

Groups That Use This Software

ID Name References
G0019 Naikon

[1][2]

References