Description
[Gelsemium](https://attack.mitre.org/software/S0666) is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. [Gelsemium](https://attack.mitre.org/software/S0666) has been used by the Gelsemium group since at least 2014.(Citation: ESET Gelsemium June 2021)
External References
Techniques Used by This Malware
- T1005 — Data from Local System
- T1008 — Fallback Channels
- T1012 — Query Registry
- T1027.011 — Fileless Storage
- T1027.015 — Compression
- T1027.016 — Junk Code Insertion
- T1033 — System Owner/User Discovery
- T1036.001 — Invalid Code Signature
- T1036.005 — Match Legitimate Resource Name or Location
- T1055.001 — Dynamic-link Library Injection
- T1057 — Process Discovery
- T1059.003 — Windows Command Shell
- T1070.004 — File Deletion
- T1070.006 — Timestomp
- T1071.001 — Web Protocols
- T1071.004 — DNS
- T1082 — System Information Discovery
- T1083 — File and Directory Discovery
- T1095 — Non-Application Layer Protocol
- T1105 — Ingress Tool Transfer
- T1106 — Native API
- T1112 — Modify Registry
- T1134 — Access Token Manipulation
- T1140 — Deobfuscate/Decode Files or Information
- T1497 — Virtualization/Sandbox Evasion
- T1518.001 — Security Software Discovery
- T1543.003 — Windows Service
- T1547.001 — Registry Run Keys / Startup Folder
- T1547.012 — Print Processors
- T1548.002 — Bypass User Account Control
- T1559.001 — Component Object Model
- T1568 — Dynamic Resolution
- T1620 — Reflective Code Loading