The TDTESS backdoor is used by the CopyKittens cybercrime group to infect Windows systems. The malware establishes persistence on an infected system by creating a new service named bmwappushservice. This service allows the attackers to remotely control the system and execute additional files. The backdoor also provides a reverse shell, allowing the attackers to access the system directly.
Table of Contents
TDTESS Malware Capabilities
- The TDTESS may modify file time attributes to hide new or changes to existing files. This is done in order to make it difficult for forensic investigators or file analysis tools to detect their activity. Additionally, the TDTESS may delete files that could be used to track their activity or transfer tools and other files into a compromised environment.
Ways to Mitigate TDTESS Malware Attacks
- The above text discusses various methods that can be used to detect and mitigate TDTESS malware. These include detecting timestomping using file modification monitoring, monitoring for command-line deletion functions, and monitoring for file creation and files transferred into the network.
About Oilrig Threat Group
The two groups are responsible for different cyber espionage campaigns, with Copykittens targeting countries like Israel and the US, and Oilrig targeting Middle Eastern and international victims in a variety of sectors.