Skip to content

Hide Navigation Hide TOC

Edit

Backdoor

A list of backdoor malware.

Authors
Authors and/or Contributors
raw-data

WellMess

Cross-platform malware written in Golang, compatible with Linux and Windows. Although there are some minor differences, both variants have the same functionality. The malware communicates with a CnC server using HTTP requests and performs functions based on the received commands. Results of command execution are sent in HTTP POST requests data (RSA-encrypted). Main functionalities are: (1) Execute arbitrary shell commands, (2) Upload/Download files. The PE variant of the infection, in addition, executes PowerShell scripts. A .Net version was also observed in the wild.

Internal MISP references

UUID e0e79fab-0f1d-4fc2-b424-208cb019a9cd which can be used as unique global reference for WellMess in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date July 2018.
Related clusters

To see the related clusters, click here.

Rosenbridge

The rosenbridge backdoor is a small, non-x86 core embedded alongside the main x86 core in the CPU. It is enabled by a model-specific-register control bit, and then toggled with a launch-instruction. The embedded core is then fed commands, wrapped in a specially formatted x86 instruction. The core executes these commands (which we call the 'deeply embedded instruction set'), bypassing all memory protections and privilege checks.

While the backdoor should require kernel level access to activate, it has been observed to be enabled by default on some systems, allowing any unprivileged code to modify the kernel.

The rosenbridge backdoor is entirely distinct from other publicly known coprocessors on x86 CPUs, such as the Management Engine or Platform Security Processor; it is more deeply embedded than any known coprocessor, having access to not only all of the CPU's memory, but its register file and execution pipeline as well.

Internal MISP references

UUID 2bb165dc-9f93-11e8-ae64-d3dbab0dd786 which can be used as unique global reference for Rosenbridge in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
date August 2018

ServHelper

The purpose of the macro was to download and execute a variant of ServHelper that set up reverse SSH tunnels that enabled access to the infected host through the Remote Desktop Protocol (RDP) port 3389.

"Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to “hijack” legitimate user accounts or their web browser profiles and use them as they see fit," researchers from Proofpoint explain in an analysis released today.

The other ServHelper variant does not include the tunneling and hijacking capabilities and functions only as a downloader for the FlawedGrace RAT.

Internal MISP references

UUID 8b50360c-4d16-4f52-be75-e74c27f533df which can be used as unique global reference for ServHelper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Rising Sun

The Rising Sun backdoor uses the RC4 cipher to encrypt its configuration data and communications. As with most backdoors, on initial infection, Rising Sun will send data regarding the infected system to a command and control (C2) site. That information captures computer and user name, IP address, operating system version and network adapter information. Rising Sun contains 14 functions including executing commands, obtaining information on disk drives and running processes, terminating processes, obtaining file creation and last access times, reading and writing files, deleting files, altering file attributes, clearing the memory of processes and connecting to a specified IP address.

Internal MISP references

UUID 0ae6636e-87e4-4b4c-a1c8-e14e1cab964f which can be used as unique global reference for Rising Sun in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

SLUB

A new backdoor was observed using the Github Gist service and the Slack messaging system as communication channels with its masters, as well as targeting a very specific type of victim using a watering hole attack. The backdoor dubbed SLUB by the Trend Micro Cyber Safety Solutions Team who detected it in the wild is part of a multi-stage infection process designed by capable threat actors who programmed it in C++. SLUB uses statically-linked curl, boost, and JsonCpp libraries for performing HTTP request, "extracting commands from gist snippets," and "parsing Slack channel communication." The campaign recently observed by the Trend Micro security researchers abusing the Github and Slack uses a multi-stage infection process.

Internal MISP references

UUID a4757e11-0837-42c0-958a-7490cff58687 which can be used as unique global reference for SLUB in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Asruex

Since it first emerged in 2015, Asruex has been known for its backdoor capabilities and connection to the spyware DarkHotel. However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector particularly through the use of old vulnerabilities CVE-2012-0158 and CVE-2010-2883, which inject code in Word and PDF files respectively.

Internal MISP references

UUID b7ad60a0-d648-4775-adec-c78b1a92fc34 which can be used as unique global reference for Asruex in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

FlowerPippi

Internal MISP references

UUID aefe3603-8f96-425c-9f71-9fe21334f224 which can be used as unique global reference for FlowerPippi in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Speculoos

FreeBSD-based payload, Speculoos was delivered by exploiting CVE-2019-19781, a vulnerability affecting the Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliances that allowed an adversary to remotely execute arbitrary commands. This vulnerability was first disclosed on December 17, 2019 via security bulletin CTX267679 which contained several mitigation recommendations. By January 24, 2020, permanent patches for the affected appliances were issued. Based on the spread of industries and regions, in addition to the timing of the vulnerability disclosure, we believe this campaign may have been more opportunistic in nature compared to the highly targeted attack campaigns that are often associated with these types of adversaries. However, considering the exploitation of the vulnerability in conjunction with delivery of a backdoor specifically designed to execute on the associated FreeBSD operating system indicates the adversary was absolutely targeting the affected devices.

Internal MISP references

UUID 201e8794-a93b-476f-9436-1dd859c6e5d9 which can be used as unique global reference for Speculoos in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Mori Backdoor

Mori Backdoor has been used by Seedworm.

Internal MISP references

UUID e663ac1b-9474-4f9a-b0c8-184861327dd7 which can be used as unique global reference for Mori Backdoor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

BazarBackdoor

Something that made the brute-force attacks on RDP connections easier was a new module of the notorious Trojan, TrickBot. It now seems that the TrickBot developers have a new tactic. Cybersecurity researchers have discovered a new phishing campaign that delivers a stealthy backdoor called BazarBackdoor, which can be used to compromise and gain full access to corporate networks. As is the case with 91% of cyberattacks, this one starts with a phishing email. A range of subjects are used to personalize the emails: Customer complaints, coronavirus-themed payroll reports, or employee termination lists. All these emails contain links to documents hosted on Google Docs. To send the malicious emails, the cybercriminals use the marketing platform Sendgrid. This campaign uses spear phishing, which means that the perpetrators have made an effort to ensure that the websites sent in the emails seem legitimate and correspond to the emails subjects.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BazarBackdoor.

Known Synonyms
BEERBOT
KEGTAP
Team9Backdoor
bazaarloader
bazaloader
bazarloader
Internal MISP references

UUID 1523a693-5d90-4da1-86d2-b5d22317820d which can be used as unique global reference for BazarBackdoor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

SUNBURST

Backdoor.Sunburst is Malwarebytes’ detection name for a trojanized update to SolarWind’s Orion IT monitoring and management software.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SUNBURST.

Known Synonyms
Solarigate
Internal MISP references

UUID 16902832-0118-40f2-b29e-eaba799b2bf4 which can be used as unique global reference for SUNBURST in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

BPFDoor

BPFDoor is a passive backdoor used by a China-based threat actor. This backdoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP allowing the threat actor a variety of mechanisms to interact with the implant

Internal MISP references

UUID 0c3b1aa5-3a33-493e-9126-28ebced4ed09 which can be used as unique global reference for BPFDoor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

BOLDMOVE

According to Mandiant, this malware family is attributed to potential chinese background and its Linux variant is related to exploitation of Fortinet's SSL-VPN (CVE-2022-42475).

Internal MISP references

UUID 2cef78bd-f097-4477-8888-79359042b515 which can be used as unique global reference for BOLDMOVE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

PowerMagic

Internal MISP references

UUID c866b002-1cb6-4c91-8a8b-f0b0c6ac2b1a which can be used as unique global reference for PowerMagic in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

VEILEDSIGNAL

VEILEDSIGNAL is a backdoor written in C that is able to execute shellcode and terminate itself. Additionally, VEILEDSIGNAL relies on additional modules that connect via Windows named pipes to interact with the Command and Control(C2) infrastructure.

Internal MISP references

UUID f482f9bb-ced1-4a2f-90cd-07df7163b44f which can be used as unique global reference for VEILEDSIGNAL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

POOLRAT

POOLRAT is a C/C++ macOS backdoor capable of collecting basic system information and executing commands. The commands performed include running arbitrary commands, secure deleting files, reading and writing files, updating the configuration.

Internal MISP references

UUID 617009c2-e6bc-4881-8f46-b9b4a68f4c04 which can be used as unique global reference for POOLRAT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

BIGRAISIN

BIGRAISIN is a C\C++ Windows based backdoor. It is capable of executing downloaded commands, executing downloaded files, and deleting files. Availability: Non-public

Internal MISP references

UUID 6d7adc1e-c6a5-42a2-8477-ce51b40674a6 which can be used as unique global reference for BIGRAISIN in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

FASTFIRE

FASTFIRE is a malicious APK that connects to a server and sends details of the compromised device back to command and control (C2). Availability: Non-public

Internal MISP references

UUID 767b4d07-2746-4ad2-bc79-de15fc495e3a which can be used as unique global reference for FASTFIRE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

GRAYZONE

GRAYZONE is a C/C++ Windows backdoor capable of collecting system information, logging keystrokes, and downloading additional stages from the C2 server. Availability: Non-public

Internal MISP references

UUID 0aea9604-62dd-4646-b47d-556e09ce558e which can be used as unique global reference for GRAYZONE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

HANGMAN.V2

HANGMAN.V2 is a variant of the backdoor HANGMAN. HANGMAN.V2 is very similar to HANGMAN, but uses HTTP for the network communications and formats data passed to the C2 server differently. Availability: Non-public

Internal MISP references

UUID f62813e9-251f-4f5c-bf27-cba2d933392b which can be used as unique global reference for HANGMAN.V2 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

LOGCABIN

LOGCABIN is a file-less and modular backdoor with multiple stages. The stages consist of several VisualBasic and PowerShell scripts that are downloaded and executed. LOGCABIN collects detailed system information and sends it to the C2 before performing additional commands. Availability: Non-public

Internal MISP references

UUID 43c91440-1f70-40df-b006-ae9507b04225 which can be used as unique global reference for LOGCABIN in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

SOURDOUGH

SOURDOUGH is a backdoor written in C that communicates via HTTP. Its capabilities include keylogging, screenshot capture, file transfer, file execution, and directory enumeration. Availability: Non-public

Internal MISP references

UUID 8a52581c-3308-47b8-869a-cd06053c6eff which can be used as unique global reference for SOURDOUGH in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

TROIBOMB

TROIBOMB is a C/C++ Windows backdoor that is capable of collecting system information and performing commands from the C2 server. Availability: Non-public

Internal MISP references

UUID f8444fcc-730e-4898-8ef5-6cc1976ff475 which can be used as unique global reference for TROIBOMB in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

ZIPLINE

ZIPLINE makes use of extensive functionality to ensure the authentication of its custom protocol used to establish command and control (C2).

Internal MISP references

UUID 14504cbe-8423-47aa-a947-a3ab5549a068 which can be used as unique global reference for ZIPLINE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

SPAWNSNAIL

SPAWNSNAIL is a backdoor that listens on localhost. It is designed to run by injecting into the dsmdm process (process responsible for supporting mobile device management features). It creates a backdoor by exposing a limited SSH server on localhost port 8300. We assess that the attacker uses the SPAWNMOLE tunneler to interact with SPAWNSNAIL.

SPAWNSNAIL's second purpose is to inject SPAWNSLOTH into dslogserver, a process supporting event logging on Connect Secure.

Internal MISP references

UUID de390f3e-c0d1-4c70-b121-a7a98f7326aa which can be used as unique global reference for SPAWNSNAIL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

BRICKSTORM

BRICKSTORM is a Go backdoor targeting VMware vCenter servers. It supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying. BRICKSTORM communicates over WebSockets to a hard-coded C2.

Internal MISP references

UUID 64a0e3ab-e201-4fdc-9836-85365dfa84bb which can be used as unique global reference for BRICKSTORM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

PHANTOMNET

PHANTOMNET is a modular backdoor that communicates using a custom communication protocol over TCP. PHANTOMNET's core functionality involves expanding its capabilities through a plugin management system. The downloaded plugins are mapped directly into memory and executed.

Internal MISP references

UUID f97ea150-a727-4d47-823a-41de07a43ea9 which can be used as unique global reference for PHANTOMNET in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

TERRIBLETEA

TERRIBLETEA is a Go backdoor that communicates over HTTP using XXTEA for encrypted communications. It is built using multiple open-source Go modules and has a multitude of capabilities including Command execution, Keystroke logging, SOCKS5 proxy, Port scanning, File system interaction, SQL query execution, Screen captures, Ability to open a new SSH session, execute commands, and upload files to a remote server.

Internal MISP references

UUID 4838b37b-2d1f-4cb8-945d-7185580f0bff which can be used as unique global reference for TERRIBLETEA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Merdoor

Merdoor is a fully-featured backdoor that appears to have been in existence since 2018. The backdoor contains the following functionality: Installing itself as a service, Keylogging, A variety of methods to communicate with its command-and-control (C&C) server (HTTP, HTTPS, DNS, UDP, TCP), Ability to listen on a local port for commands Instances of the Merdoor backdoor are usually identical with the exception of embedded and encrypted configuration, which determines: C&C communication method, Service details, Installation directory Typically, the backdoor is injected into the legitimate processes perfhost.exe or svchost.exe.

Internal MISP references

UUID 8ebda9f4-f8f2-4d35-ba2b-d6ecb54b23d4 which can be used as unique global reference for Merdoor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value