POORAIM is a backdoor used by APT37 in campaigns since at least 2014. It affects the following operating systems: Windows. It has used AOL Instant Messenger for C2. It can identify system information, including battery status. It can enumerate processes. It can perform screen capturing. It can conduct file browsing. It has been delivered through compromised sites acting as watering holes.
Table of Contents
POORAIM Malware Capabilities
- POORAIM may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. POORAIM may also attempt to get information about running processes on a system. The information obtained could be used to gain an understanding of common software/applications running on systems within the network.
- The PoorAim malware may attempt to take screenshots of the desktop to gather information, and may also enumerate files and directories or search in specific locations for certain information. PoorAim may gain access to a system through a user visiting a website, with the user's web browser being the target for exploitation. However, the adversary may also use compromised websites for non-exploitation behavior, such as acquiring application access tokens.
Ways to Mitigate POORAIM Malware Attacks
- The above text discusses various methods that can be used to mitigate the effects of POORAIM malware. These include host data analysis, network data analysis, and user behavior monitoring. These techniques can help to detect and respond to abnormal activity that may be associated with POORAIM malware.
- The mitigation for POORAIM malware includes monitoring for screen capture behavior and system and network discovery techniques. Firewalls and proxies can also be used to inspect URLs for potentially known-bad domains or parameters.
About Apt37 Threat Group
- Apt37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.
