DoorMe | |
Type of Malware | Exploit Kit |
Targeted Countries | China |
Targeted Countries | India |
Date of Initial Activity | 2022 |
Associated Groups | ChamelGang |
Motivation | Espionage |
Attack Vectors | Supply Chain |
Targeted Systems | Windows |
Overview
DoorMe is a sophisticated and evasive remote access Trojan (RAT) designed to provide threat actors with extensive control over compromised systems. Leveraging a multi-layered approach to conceal its presence, DoorMe employs advanced obfuscation techniques and encrypted communications to evade detection and analysis. Once deployed, it establishes a persistent foothold by modifying system configurations and using covert channels to exfiltrate sensitive data. DoorMe’s versatility allows it to perform a range of malicious activities, including keylogging, credential theft, and remote command execution, making it a formidable tool in the arsenal of cybercriminals targeting both individuals and organizations.
Targets
Information
Public Administration
Manufacturing
Health Care and Social Assistance
Retail Trade
Accommodation and Food Services
How they operate
Upon execution, DoorMe employs several methods to ensure persistence and evade detection. One of its primary techniques involves leveraging the Command and Scripting Interpreter, such as PowerShell, to execute its commands and scripts. The malware is often disguised using obfuscation techniques, making its detection and analysis more challenging. Additionally, DoorMe can modify system processes or registry run keys to maintain its presence even after a system reboot, which helps it establish a long-term foothold.
Privilege escalation is another critical aspect of DoorMe’s operation. The malware frequently exploits known vulnerabilities or performs credential dumping to gain higher-level permissions on the infected system. By obtaining elevated privileges, DoorMe can access sensitive areas of the system and gather valuable information, such as credentials and system configurations, furthering its control over the compromised environment.
DoorMe’s command and control (C2) operations are designed to facilitate communication between the malware and its operators. It often utilizes web services for C2 communications, allowing it to send and receive instructions covertly. The malware can stage data for exfiltration, transferring valuable information back to the attackers. This exfiltration is often conducted over secure C2 channels or alternative protocols to avoid detection.
In terms of impact, DoorMe has the capability to cause significant disruption. It can delete or corrupt data, which impacts the integrity and availability of critical information. Moreover, it may perform system information discovery to gather intelligence on the infected network, aiding in further attacks or data theft.
MITRE Tactics and Techniques
Initial Access:
Phishing: T1566
Exploitation of Public-Facing Application: T1190
Execution:
Command and Scripting Interpreter: T1059
PowerShell: T1059.001
Persistence:
Registry Run Keys / Startup Folder: T1547.001
Create or Modify System Process: T1543.003
Privilege Escalation:
Exploitation for Privilege Escalation: T1068
Credential Dumping: T1003
Defense Evasion:
Obfuscated Files or Information: T1027
Software Packing: T1045
Credential Access:
Keylogging: T1056.001
Credential Dumping: T1003
Command and Control (C2):
Command and Control Over Web Service: T1102
Data Staged: T1074
Exfiltration:
Exfiltration Over C2 Channel: T1041
Exfiltration Over Alternative Protocol: T1048
Impact:
Data Destruction: T1485
System Information Discovery: T1082
