BirdCall Propose Change

Actor(s): APT37

According to ESET Research, BirdCall is a Windows backdoor written in C++ that provides a wide range of spying capabilities, including taking screenshots, logging keystrokes and clipboard content, stealing credentials and files, and executing shell commands. It is typically deployed in a multistage loading chain with a downloader that fetches and executes shellcode, at times loaded by a RokRAT payload, and then replaces a trojanized library with a clean version to hinder analysis. For C2, BirdCall uses legitimate cloud storage services or compromised websites to enable bidirectional communication and data exfiltration.

References

There is no Yara-Signature yet.