Reaver
Reaver is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the "Five Poisons," which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of Control Panel items.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
| Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method |
Reaver encrypts collected data with an incremental XOR key prior to exfiltration.[1] |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.[1] |
| .009 | Boot or Logon Autostart Execution: Shortcut Modification |
Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.[1] |
||
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service | |
| Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
Reaver deletes the original dropped file from the victim.[1] |
| Enterprise | T1095 | Non-Application Layer Protocol | ||
| Enterprise | T1027 | Obfuscated Files or Information | ||
| Enterprise | T1012 | Query Registry |
Reaver queries the Registry to determine the correct Startup path to use for persistence.[1] |
|
| Enterprise | T1218 | .002 | System Binary Proxy Execution: Control Panel |
Reaver drops and executes a malicious CPL file as its payload.[1] |
| Enterprise | T1082 | System Information Discovery |
Reaver collects system information from the victim, including CPU speed, computer name, volume serial number, ANSI code page, OEM code page identifier for the OS, Microsoft Windows version, and memory information.[1] |
|
| Enterprise | T1016 | System Network Configuration Discovery | ||
| Enterprise | T1033 | System Owner/User Discovery | ||