Hide Navigation Hide TOC

Edit

Malware

Name of ATT&CK software

Authors

Authors and/or Contributors
MITRE

Hacking Team UEFI Rootkit - S0047

Hacking Team UEFI Rootkit is a rootkit developed by the company Hacking Team as a method of persistence for remote access software. (Citation: TrendMicro Hacking Team UEFI)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hacking Team UEFI Rootkit - S0047.

Known Synonyms
Hacking Team UEFI Rootkit

Internal MISP references

UUID 4b62ab58-c23b-4704-9c15-edd568cd59f8 which can be used as unique global reference for Hacking Team UEFI Rootkit - S0047 in MISP communities and other software using the MISP galaxy

External references

• http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/ - webarchive
• https://attack.mitre.org/software/S0047 - webarchive

Associated metadata

Metadata key	Value
external_id	S0047

Related clusters

To see the related clusters, click here.

X-Agent for Android - S0314

X-Agent for Android is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the CHOPSTICK.

Internal MISP references

UUID 56660521-6db4-4e5a-a927-464f22954b7c which can be used as unique global reference for X-Agent for Android - S0314 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0314 - webarchive
• https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0314

Related clusters

To see the related clusters, click here.

Red Alert 2.0 - S0539

Red Alert 2.0 is a banking trojan that masquerades as a VPN client.(Citation: Sophos Red Alert 2.0)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Red Alert 2.0 - S0539.

Known Synonyms
Red Alert 2.0

Internal MISP references

UUID 6e282bbf-5f32-476a-b879-ba77eec463c8 which can be used as unique global reference for Red Alert 2.0 - S0539 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0539 - webarchive
• https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0539
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Exaramel for Linux - S0401

Exaramel for Linux is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under Exaramel for Windows.(Citation: ESET TeleBots Oct 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Exaramel for Linux - S0401.

Known Synonyms
Exaramel for Linux

Internal MISP references

UUID 11194d8b-fdce-45d2-8047-df15bb8f16bd which can be used as unique global reference for Exaramel for Linux - S0401 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0401 - webarchive
• https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0401
mitre_platforms	['Linux']

Related clusters

To see the related clusters, click here.

Winnti for Linux - S0430

Winnti for Linux is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including Winnti Group. The Windows variant is tracked separately under Winnti for Windows.(Citation: Chronicle Winnti for Linux May 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Winnti for Linux - S0430.

Known Synonyms
Winnti for Linux

Internal MISP references

UUID 8787e86d-8475-4f13-acea-d33eb83b6105 which can be used as unique global reference for Winnti for Linux - S0430 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0430 - webarchive
• https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a - webarchive

Associated metadata

Metadata key	Value
external_id	S0430
mitre_platforms	['Linux']

Related clusters

To see the related clusters, click here.

XLoader for iOS - S0490

XLoader for iOS is a malicious iOS application that is capable of gathering system information.(Citation: TrendMicro-XLoader-FakeSpy) It is tracked separately from the XLoader for Android.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XLoader for iOS - S0490.

Known Synonyms
XLoader for iOS

Internal MISP references

UUID 29944858-da52-4d3d-b428-f8a6eb8dde6f which can be used as unique global reference for XLoader for iOS - S0490 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0490 - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0490
mitre_platforms	['iOS']

Related clusters

To see the related clusters, click here.

Winnti for Windows - S0141

Winnti for Windows is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, Winnti Group.(Citation: Kaspersky Winnti April 2013)(Citation: Microsoft Winnti Jan 2017)(Citation: Novetta Winnti April 2015)(Citation: 401 TRG Winnti Umbrella May 2018). The Linux variant is tracked separately under Winnti for Linux.(Citation: Chronicle Winnti for Linux May 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Winnti for Windows - S0141.

Known Synonyms
Winnti for Windows

Internal MISP references

UUID d3afa961-a80c-4043-9509-282cdf69ab21 which can be used as unique global reference for Winnti for Windows - S0141 in MISP communities and other software using the MISP galaxy

External references

• https://401trg.github.io/pages/burning-umbrella.html - webarchive
• https://attack.mitre.org/software/S0141 - webarchive
• https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/ - webarchive
• https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a - webarchive
• https://securelist.com/winnti-more-than-just-a-game/37029/ - webarchive
• https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0141
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Pegasus for Android - S0316

Pegasus for Android is the Android version of malware that has reportedly been linked to the NSO Group. (Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor) The iOS version is tracked separately under Pegasus for iOS.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pegasus for Android - S0316.

Known Synonyms
Chrysaor
Pegasus for Android

Internal MISP references

UUID 93799a9d-3537-43d8-b6f4-17215de1657c which can be used as unique global reference for Pegasus for Android - S0316 in MISP communities and other software using the MISP galaxy

External references

• https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html - webarchive
• https://attack.mitre.org/software/S0316 - webarchive
• https://blog.lookout.com/blog/2017/04/03/pegasus-android/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0316
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

XLoader for Android - S0318

XLoader for Android is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.(Citation: TrendMicro-XLoader-FakeSpy)(Citation: TrendMicro-XLoader) It is tracked separately from the XLoader for iOS.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XLoader for Android - S0318.

Known Synonyms
XLoader for Android

Internal MISP references

UUID 2740eaf6-2db2-4a40-a63f-f5b166c7059c which can be used as unique global reference for XLoader for Android - S0318 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0318 - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/ - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0318
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Pegasus for iOS - S0289

Pegasus for iOS is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims.(Citation: Lookout-Pegasus)(Citation: PegasusCitizenLab) The Android version is tracked separately under Pegasus for Android.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pegasus for iOS - S0289.

Known Synonyms
Pegasus for iOS

Internal MISP references

UUID 33d9d91d-aad9-49d5-a516-220ce101ac8a which can be used as unique global reference for Pegasus for iOS - S0289 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0289 - webarchive
• https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ - webarchive
• https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0289
mitre_platforms	['iOS']

Related clusters

To see the related clusters, click here.

Exaramel for Windows - S0343

Exaramel for Windows is a backdoor used for targeting Windows systems. The Linux version is tracked separately under Exaramel for Linux.(Citation: ESET TeleBots Oct 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Exaramel for Windows - S0343.

Known Synonyms
Exaramel for Windows

Internal MISP references

UUID 051eaca1-958f-4091-9e5f-a9acd8f820b5 which can be used as unique global reference for Exaramel for Windows - S0343 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0343 - webarchive
• https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0343
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

P.A.S. Webshell - S0598

P.A.S. Webshell is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.(Citation: ANSSI Sandworm January 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular P.A.S. Webshell - S0598.

Known Synonyms
Fobushell
P.A.S. Webshell

Internal MISP references

UUID 4800d0f9-00aa-47cd-a4d2-92198585b8fd which can be used as unique global reference for P.A.S. Webshell - S0598 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0598 - webarchive
• https://us-cert.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf - webarchive
• https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0598
mitre_platforms	['Linux', 'Windows']

Related clusters

To see the related clusters, click here.

gh0st RAT - S0032

gh0st RAT is a remote access tool (RAT). The source code is public and it has been used by multiple groups.(Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb 2018)(Citation: Nccgroup Gh0st April 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular gh0st RAT - S0032.

Known Synonyms
Moudoor
Mydoor
gh0st RAT

Internal MISP references

UUID 88c621a7-aef9-4ae0-94e3-1fc87123eb24 which can be used as unique global reference for gh0st RAT - S0032 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0032 - webarchive
• https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/ - webarchive
• https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf - webarchive
• https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/ - webarchive
• https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0032
mitre_platforms	['Windows', 'macOS']

Related clusters

To see the related clusters, click here.

China Chopper - S0020

China Chopper is a Web Shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.(Citation: Lee 2013) It has been used by several threat groups.(Citation: Dell TG-3390)(Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)(Citation: Rapid7 HAFNIUM Mar 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular China Chopper - S0020.

Known Synonyms
China Chopper

Internal MISP references

UUID 5a3a31fe-5a8f-48e1-bff0-a753e5b1be70 which can be used as unique global reference for China Chopper - S0020 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0020 - webarchive
• https://us-cert.cisa.gov/ncas/alerts/aa21-200a - webarchive
• https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html - webarchive
• https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html - webarchive
• https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/ - webarchive
• https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage - webarchive

Associated metadata

Metadata key	Value
external_id	S0020
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Skeleton Key - S0007

Skeleton Key is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password. (Citation: Dell Skeleton) Functionality similar to Skeleton Key is included as a module in Mimikatz.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Skeleton Key - S0007.

Known Synonyms
Skeleton Key

Internal MISP references

UUID 89f63ae4-f229-4a5c-95ad-6f22ed2b5c49 which can be used as unique global reference for Skeleton Key - S0007 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0007 - webarchive
• https://www.secureworks.com/research/skeleton-key-malware-analysis - webarchive

Associated metadata

Metadata key	Value
external_id	S0007
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

P2P ZeuS - S0016

P2P ZeuS is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture. (Citation: Dell P2P ZeuS)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular P2P ZeuS - S0016.

Known Synonyms
Gameover ZeuS
P2P ZeuS
Peer-to-Peer ZeuS

Internal MISP references

UUID b2c5d3ca-b43a-4888-ad8d-e2d43497bf85 which can be used as unique global reference for P2P ZeuS - S0016 in MISP communities and other software using the MISP galaxy

External references

• http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover_ZeuS/ - webarchive
• https://attack.mitre.org/software/S0016 - webarchive

Associated metadata

Metadata key	Value
external_id	S0016
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Unknown Logger - S0130

Unknown Logger is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign. (Citation: Forcepoint Monsoon)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Unknown Logger - S0130.

Known Synonyms
Unknown Logger

Internal MISP references

UUID ab3580c8-8435-4117-aace-3d9fbe46aa56 which can be used as unique global reference for Unknown Logger - S0130 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0130 - webarchive
• https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0130
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Black Basta - S1070

Black Basta is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. Black Basta operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. Black Basta affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the Black Basta RaaS operators could include current or former members of the Conti group.(Citation: Palo Alto Networks Black Basta August 2022)(Citation: Deep Instinct Black Basta August 2022)(Citation: Minerva Labs Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Cyble Black Basta May 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Black Basta - S1070.

Known Synonyms
Black Basta

Internal MISP references

UUID 8d242fb4-9033-4f13-8a88-4b9b4bcd9a53 which can be used as unique global reference for Black Basta - S1070 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1070 - webarchive
• https://blog.cyble.com/2022/05/06/black-basta-ransomware/ - webarchive
• https://minerva-labs.com/blog/new-black-basta-ransomware-hijacks-windows-fax-service/ - webarchive
• https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ - webarchive
• https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware - webarchive
• https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware - webarchive
• https://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence - webarchive

Associated metadata

Metadata key	Value
external_id	S1070
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Cherry Picker - S0107

Cherry Picker is a point of sale (PoS) memory scraper. (Citation: Trustwave Cherry Picker)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cherry Picker - S0107.

Known Synonyms
Cherry Picker

Internal MISP references

UUID b2203c59-4089-4ee4-bfe1-28fa25f0dbfe which can be used as unique global reference for Cherry Picker - S0107 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0107 - webarchive
• https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0107
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Zeus Panda - S0330

Zeus Panda is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. Zeus Panda’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zeus Panda - S0330.

Known Synonyms
Zeus Panda

Internal MISP references

UUID 198db886-47af-4f4c-bff5-11b891f85946 which can be used as unique global reference for Zeus Panda - S0330 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0330 - webarchive
• https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html#More - webarchive
• https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0330
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SpyNote RAT - S0305

SpyNote RAT (Remote Access Trojan) is a family of malicious Android apps. The SpyNote RAT builder tool can be used to develop malicious apps with the malware's functionality. (Citation: Zscaler-SpyNote)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SpyNote RAT - S0305.

Known Synonyms
SpyNote RAT

Internal MISP references

UUID 20dbaf05-59b8-4dc6-8777-0b17f4553a23 which can be used as unique global reference for SpyNote RAT - S0305 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0305 - webarchive
• https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app - webarchive

Associated metadata

Metadata key	Value
external_id	S0305
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

3PARA RAT - S0066

3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda. (Citation: CrowdStrike Putter Panda)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular 3PARA RAT - S0066.

Known Synonyms
3PARA RAT

Internal MISP references

UUID 7bec698a-7e20-4fd3-bb6a-12787770fb1a which can be used as unique global reference for 3PARA RAT - S0066 in MISP communities and other software using the MISP galaxy

External references

• http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf - webarchive
• https://attack.mitre.org/software/S0066 - webarchive

Associated metadata

Metadata key	Value
external_id	S0066
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Agent Smith - S0440

Agent Smith is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 Agent Smith had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.(Citation: CheckPoint Agent Smith)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Agent Smith - S0440.

Known Synonyms
Agent Smith

Internal MISP references

UUID a6228601-03f6-4949-ae22-c1087627a637 which can be used as unique global reference for Agent Smith - S0440 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0440 - webarchive
• https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0440
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

4H RAT - S0065

4H RAT is malware that has been used by Putter Panda since at least 2007. (Citation: CrowdStrike Putter Panda)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular 4H RAT - S0065.

Known Synonyms
4H RAT

Internal MISP references

UUID 8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc which can be used as unique global reference for 4H RAT - S0065 in MISP communities and other software using the MISP galaxy

External references

• http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf - webarchive
• https://attack.mitre.org/software/S0065 - webarchive

Associated metadata

Metadata key	Value
external_id	S0065
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Desert Scorpion - S0505

Desert Scorpion is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. Desert Scorpion is suspected to have been operated by the threat actor APT-C-23.(Citation: Lookout Desert Scorpion)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Desert Scorpion - S0505.

Known Synonyms
Desert Scorpion

Internal MISP references

UUID 3271c107-92c4-442e-9506-e76d62230ee8 which can be used as unique global reference for Desert Scorpion - S0505 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0505 - webarchive
• https://blog.lookout.com/desert-scorpion-google-play - webarchive

Associated metadata

Metadata key	Value
external_id	S0505
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Net Crawler - S0056

Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler. (Citation: Cylance Cleaver)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Net Crawler - S0056.

Known Synonyms
Net Crawler
NetC

Internal MISP references

UUID fde50aaa-f5de-4cb8-989a-babb57d6a704 which can be used as unique global reference for Net Crawler - S0056 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0056 - webarchive
• https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0056
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Bad Rabbit - S0606

Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. (Citation: Secure List Bad Rabbit)(Citation: ESET Bad Rabbit)(Citation: Dragos IT ICS Ransomware)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bad Rabbit - S0606.

Known Synonyms
Bad Rabbit
Win32/Diskcoder.D

Internal MISP references

UUID 2eaa5319-5e1e-4dd7-bbc4-566fced3964a which can be used as unique global reference for Bad Rabbit - S0606 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0606 - webarchive
• https://securelist.com/bad-rabbit-ransomware/82851/ - webarchive
• https://www.dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/ - webarchive
• https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0606
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Green Lambert - S0690

Green Lambert is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of Green Lambert may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.(Citation: Kaspersky Lamberts Toolkit April 2017)(Citation: Objective See Green Lambert for OSX Oct 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Green Lambert - S0690.

Known Synonyms
Green Lambert

Internal MISP references

UUID 59c8a28c-200c-4565-9af1-cbdb24870ba0 which can be used as unique global reference for Green Lambert - S0690 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0690 - webarchive
• https://objective-see.com/blog/blog_0x68.html - webarchive
• https://securelist.com/unraveling-the-lamberts-toolkit/77990/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0690
mitre_platforms	['Windows', 'iOS', 'macOS', 'Linux']

Related clusters

To see the related clusters, click here.

Saint Bot - S1018

Saint Bot is a .NET downloader that has been used by Ember Bear since at least March 2021.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Internal MISP references

UUID 7724581b-06ff-4d2b-b77c-80dc8d53070b which can be used as unique global reference for Saint Bot - S1018 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1018 - webarchive
• https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/ - webarchive
• https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1018
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Heyoka Backdoor - S1027

Heyoka Backdoor is a custom backdoor--based on the Heyoka open source exfiltration tool--that has been used by Aoqin Dragon since at least 2013.(Citation: SentinelOne Aoqin Dragon June 2022)(Citation: Sourceforge Heyoka 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Heyoka Backdoor - S1027.

Known Synonyms
Heyoka Backdoor

Internal MISP references

UUID dff90475-9f72-41a6-84ed-1fbefd3874c0 which can be used as unique global reference for Heyoka Backdoor - S1027 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1027 - webarchive
• https://heyoka.sourceforge.net/ - webarchive
• https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1027
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Action RAT - S1028

Action RAT is a remote access tool written in Delphi that has been used by SideCopy since at least December 2021 against Indian and Afghani government personnel.(Citation: MalwareBytes SideCopy Dec 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Action RAT - S1028.

Known Synonyms
Action RAT

Internal MISP references

UUID 36801ffb-5c85-4c50-9121-6122e389366d which can be used as unique global reference for Action RAT - S1028 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1028 - webarchive
• https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure - webarchive

Associated metadata

Metadata key	Value
external_id	S1028
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

AutoIt backdoor - S0129

AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. (Citation: Forcepoint Monsoon) This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AutoIt backdoor - S0129.

Known Synonyms
AutoIt backdoor

Internal MISP references

UUID f5352566-1a64-49ac-8f7f-97e1d1a03300 which can be used as unique global reference for AutoIt backdoor - S0129 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0129 - webarchive
• https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0129
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

AuTo Stealer - S1029

AuTo Stealer is malware written in C++ has been used by SideCopy since at least December 2021 to target government agencies and personnel in India and Afghanistan.(Citation: MalwareBytes SideCopy Dec 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AuTo Stealer - S1029.

Known Synonyms
AuTo Stealer

Internal MISP references

UUID 3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5 which can be used as unique global reference for AuTo Stealer - S1029 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1029 - webarchive
• https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure - webarchive

Associated metadata

Metadata key	Value
external_id	S1029
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Agent Tesla - S0331

Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014.(Citation: Fortinet Agent Tesla April 2018)(Citation: Bitdefender Agent Tesla April 2020)(Citation: Malwarebytes Agent Tesla April 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Agent Tesla - S0331.

Known Synonyms
Agent Tesla

Internal MISP references

UUID e7a5229f-05eb-440e-b982-9a6d2b2b87c8 which can be used as unique global reference for Agent Tesla - S0331 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0331 - webarchive
• https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/ - webarchive
• https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html - webarchive
• https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/ - webarchive
• https://www.digitrustgroup.com/agent-tesla-keylogger/ - webarchive
• https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0331
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Small Sieve - S1035

Small Sieve is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by MuddyWater since at least January 2022.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: NCSC GCHQ Small Sieve Jan 2022)

Security researchers have also noted Small Sieve's use by UNC3313, which may be associated with MuddyWater.(Citation: Mandiant UNC3313 Feb 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Small Sieve - S1035.

Known Synonyms
GRAMDOOR
Small Sieve

Internal MISP references

UUID ff41b9b6-4c1d-407b-a7e2-835109c8dbc5 which can be used as unique global reference for Small Sieve - S1035 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1035 - webarchive
• https://www.cisa.gov/uscert/ncas/alerts/aa22-055a - webarchive
• https://www.mandiant.com/resources/telegram-malware-iranian-espionage - webarchive
• https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S1035
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Cobalt Strike - S0154

Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.(Citation: cobaltstrike manual)

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.(Citation: cobaltstrike manual)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cobalt Strike - S0154.

Known Synonyms
Cobalt Strike

Internal MISP references

UUID a7881f21-e978-4fe4-af56-92c9416a2616 which can be used as unique global reference for Cobalt Strike - S0154 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0154 - webarchive
• https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0154
mitre_platforms	['Windows', 'Linux', 'macOS']

Related clusters

To see the related clusters, click here.

Ragnar Locker - S0481

Ragnar Locker is a ransomware that has been in use since at least December 2019.(Citation: Sophos Ragnar May 2020)(Citation: Cynet Ragnar Apr 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ragnar Locker - S0481.

Known Synonyms
Ragnar Locker

Internal MISP references

UUID 54895630-efd2-4608-9c24-319de972a9eb which can be used as unique global reference for Ragnar Locker - S0481 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0481 - webarchive
• https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/ - webarchive
• https://www.cynet.com/blog/cynet-detection-report-ragnar-locker-ransomware/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0481
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Woody RAT - S1065

Woody RAT is a remote access trojan (RAT) that has been used since at least August 2021 against Russian organizations.(Citation: MalwareBytes WoodyRAT Aug 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Woody RAT - S1065.

Known Synonyms
Woody RAT

Internal MISP references

UUID 3bc7e862-5610-4c02-9c48-15b2e2dc1ddb which can be used as unique global reference for Woody RAT - S1065 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1065 - webarchive
• https://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild - webarchive

Associated metadata

Metadata key	Value
external_id	S1065
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SYNful Knock - S0519

SYNful Knock is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.(Citation: Mandiant - Synful Knock)(Citation: Cisco Synful Knock Evolution)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SYNful Knock - S0519.

Known Synonyms
SYNful Knock

Internal MISP references

UUID 84c1ecc6-e5a2-4e8a-bf4b-651a618e0053 which can be used as unique global reference for SYNful Knock - S0519 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0519 - webarchive
• https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices - webarchive
• https://www.mandiant.com/resources/synful-knock-acis - webarchive

Associated metadata

Metadata key	Value
external_id	S0519
mitre_platforms	['Network']

Related clusters

To see the related clusters, click here.

Power Loader - S0177

Power Loader is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)

Internal MISP references

UUID 0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3 which can be used as unique global reference for Power Loader - S0177 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0177 - webarchive
• https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html - webarchive
• https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0177

Related clusters

To see the related clusters, click here.

HUI Loader - S1097

HUI Loader is a custom DLL loader that has been used since at least 2015 by China-based threat groups including Cinnamon Tempest and menuPass to deploy malware on compromised hosts. HUI Loader has been observed in campaigns loading SodaMaster, PlugX, Cobalt Strike, Komplex, and several strains of ransomware.(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HUI Loader - S1097.

Known Synonyms
HUI Loader

Internal MISP references

UUID 54089fba-8662-4f37-9a44-6ad25a5f630a which can be used as unique global reference for HUI Loader - S1097 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1097 - webarchive
• https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader - webarchive

Associated metadata

Metadata key	Value
external_id	S1097
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Brave Prince - S0252

Brave Prince is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to Gold Dragon, and was seen along with Gold Dragon and RunningRAT in operations surrounding the 2018 Pyeongchang Winter Olympics. (Citation: McAfee Gold Dragon)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Brave Prince - S0252.

Known Synonyms
Brave Prince

Internal MISP references

UUID 28b97733-ef07-4414-aaa5-df50b2d30cc5 which can be used as unique global reference for Brave Prince - S0252 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0252 - webarchive
• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0252
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Smoke Loader - S0226

Smoke Loader is a malicious bot application that can be used to load other malware. Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. (Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Smoke Loader - S0226.

Known Synonyms
Dofoil
Smoke Loader

Internal MISP references

UUID 0c824410-58ff-49b2-9cf2-1c96b182bdf0 which can be used as unique global reference for Smoke Loader - S0226 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0226 - webarchive
• https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/ - webarchive
• https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0226
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Linux Rabbit - S0362

Linux Rabbit is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.(Citation: Anomali Linux Rabbit 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Linux Rabbit - S0362.

Known Synonyms
Linux Rabbit

Internal MISP references

UUID 0efefea5-78da-4022-92bc-d726139e8883 which can be used as unique global reference for Linux Rabbit - S0362 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0362 - webarchive
• https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat - webarchive

Associated metadata

Metadata key	Value
external_id	S0362
mitre_platforms	['Linux']

Related clusters

To see the related clusters, click here.

Stealth Mango - S0328

Stealth Mango is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as Tangelo is believed to be from the same developer. (Citation: Lookout-StealthMango)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Stealth Mango - S0328.

Known Synonyms
Stealth Mango

Internal MISP references

UUID 085eb36d-697d-4d9a-bac3-96eb879fe73c which can be used as unique global reference for Stealth Mango - S0328 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0328 - webarchive
• https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0328
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Corona Updates - S0425

Corona Updates is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.(Citation: TrendMicro Coronavirus Updates)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Corona Updates - S0425.

Known Synonyms
Concipit1248
Corona Updates
Wabi Music

Internal MISP references

UUID 366c800f-97a8-48d5-b0a6-79d00198252a which can be used as unique global reference for Corona Updates - S0425 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0425 - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0425
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Gold Dragon - S0249

Gold Dragon is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. Gold Dragon was used along with Brave Prince and RunningRAT in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. (Citation: McAfee Gold Dragon)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gold Dragon - S0249.

Known Synonyms
Gold Dragon

Internal MISP references

UUID b9799466-9dd7-4098-b2d6-f999ce50b9a8 which can be used as unique global reference for Gold Dragon - S0249 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0249 - webarchive
• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0249
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Caterpillar WebShell - S0572

Caterpillar WebShell is a self-developed Web Shell tool created by the group Volatile Cedar.(Citation: ClearSky Lebanese Cedar Jan 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Caterpillar WebShell - S0572.

Known Synonyms
Caterpillar WebShell

Internal MISP references

UUID 751b77e6-af1f-483b-93fe-eddf17f92a64 which can be used as unique global reference for Caterpillar WebShell - S0572 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0572 - webarchive
• https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf - webarchive
• https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0572
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Cobian RAT - S0338

Cobian RAT is a backdoor, remote access tool that has been observed since 2016.(Citation: Zscaler Cobian Aug 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cobian RAT - S0338.

Known Synonyms
Cobian RAT

Internal MISP references

UUID aa1462a1-d065-416c-b354-bedd04998c7f which can be used as unique global reference for Cobian RAT - S0338 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0338 - webarchive
• https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat - webarchive

Associated metadata

Metadata key	Value
external_id	S0338
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Cardinal RAT - S0348

Cardinal RAT is a potentially low volume remote access trojan (RAT) observed since December 2015. Cardinal RAT is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.(Citation: PaloAlto CardinalRat Apr 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cardinal RAT - S0348.

Known Synonyms
Cardinal RAT

Internal MISP references

UUID b879758f-bbc4-4cab-b5ba-177ac9b009b4 which can be used as unique global reference for Cardinal RAT - S0348 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0348 - webarchive
• https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0348
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Golden Cup - S0535

Golden Cup is Android spyware that has been used to target World Cup fans.(Citation: Symantec GoldenCup)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Golden Cup - S0535.

Known Synonyms
Golden Cup

Internal MISP references

UUID f3975cc0-72bc-4308-836e-ac701b83860e which can be used as unique global reference for Golden Cup - S0535 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0535 - webarchive
• https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans - webarchive

Associated metadata

Metadata key	Value
external_id	S0535
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Olympic Destroyer - S0365

Olympic Destroyer is malware that was used by Sandworm Team against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to render infected computer systems inoperable. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. Olympic Destroyer has worm-like features to spread itself across a computer network in order to maximize its destructive impact.(Citation: Talos Olympic Destroyer 2018)(Citation: US District Court Indictment GRU Unit 74455 October 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Olympic Destroyer - S0365.

Known Synonyms
Olympic Destroyer

Internal MISP references

UUID 3249e92a-870b-426d-8790-ba311c1abfb4 which can be used as unique global reference for Olympic Destroyer - S0365 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0365 - webarchive
• https://blog.talosintelligence.com/2018/02/olympic-destroyer.html - webarchive
• https://www.justice.gov/opa/press-release/file/1328521/download - webarchive

Associated metadata

Metadata key	Value
external_id	S0365
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Revenge RAT - S0379

Revenge RAT is a freely available remote access tool written in .NET (C#).(Citation: Cylance Shaheen Nov 2018)(Citation: Cofense RevengeRAT Feb 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Revenge RAT - S0379.

Known Synonyms
Revenge RAT

Internal MISP references

UUID bdb27a1d-1844-42f1-a0c0-826027ae0326 which can be used as unique global reference for Revenge RAT - S0379 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0379 - webarchive
• https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/ - webarchive
• https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517 - webarchive

Associated metadata

Metadata key	Value
external_id	S0379
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Rising Sun - S0448

Rising Sun is a modular backdoor that was used extensively in Operation Sharpshooter between 2017 and 2019. Rising Sun infected at least 87 organizations around the world, including nuclear, defense, energy, and financial service companies. Security researchers assessed Rising Sun included some source code from Lazarus Group's Trojan Duuzer.(Citation: McAfee Sharpshooter December 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rising Sun - S0448.

Known Synonyms
Rising Sun

Internal MISP references

UUID 56e6b6c2-e573-4969-8bab-783205cebbbf which can be used as unique global reference for Rising Sun - S0448 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0448 - webarchive
• https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0448
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

JSS Loader - S0648

JSS Loader is Remote Access Trojan (RAT) with .NET and C++ variants that has been used by FIN7 since at least 2020.(Citation: eSentire FIN7 July 2021)(Citation: CrowdStrike Carbon Spider August 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular JSS Loader - S0648.

Known Synonyms
JSS Loader

Internal MISP references

UUID f559f945-eb8b-48b1-904c-68568deebed3 which can be used as unique global reference for JSS Loader - S0648 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0648 - webarchive
• https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/ - webarchive
• https://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc - webarchive

Associated metadata

Metadata key	Value
external_id	S0648
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

DEFENSOR ID - S0479

DEFENSOR ID is a banking trojan capable of clearing a victim’s bank account or cryptocurrency wallet and taking over email or social media accounts. DEFENSOR ID performs the majority of its malicious functionality by abusing Android’s accessibility service.(Citation: ESET DEFENSOR ID)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DEFENSOR ID - S0479.

Known Synonyms
DEFENSOR ID

Internal MISP references

UUID 5a5dca4c-03c1-4b99-bfcf-c206e20aa663 which can be used as unique global reference for DEFENSOR ID - S0479 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0479 - webarchive
• https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0479
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Tiktok Pro - S0558

Tiktok Pro is spyware that has been masquerading as the TikTok application.(Citation: Zscaler TikTok Spyware)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tiktok Pro - S0558.

Known Synonyms
Tiktok Pro

Internal MISP references

UUID c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0 which can be used as unique global reference for Tiktok Pro - S0558 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0558 - webarchive
• https://www.zscaler.com/blogs/security-research/tiktok-spyware - webarchive

Associated metadata

Metadata key	Value
external_id	S0558
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Cyclops Blink - S0687

Cyclops Blink is a modular malware that has been used in widespread campaigns by Sandworm Team since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus.(Citation: NCSC Cyclops Blink February 2022)(Citation: NCSC CISA Cyclops Blink Advisory February 2022)(Citation: Trend Micro Cyclops Blink March 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cyclops Blink - S0687.

Known Synonyms
Cyclops Blink

Internal MISP references

UUID b350b47f-88fe-4921-8538-6d9c59bac84e which can be used as unique global reference for Cyclops Blink - S0687 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0687 - webarchive
• https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf - webarchive
• https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter - webarchive
• https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0687
mitre_platforms	['Network']

Related clusters

To see the related clusters, click here.

Trojan-SMS.AndroidOS.FakeInst.a - S0306

Trojan-SMS.AndroidOS.FakeInst.a is Android malware. (Citation: Kaspersky-MobileMalware)

Internal MISP references

UUID 28e39395-91e7-4f02-b694-5e079c964da9 which can be used as unique global reference for Trojan-SMS.AndroidOS.FakeInst.a - S0306 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0306 - webarchive
• https://securelist.com/mobile-malware-evolution-2013/58335/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0306

Related clusters

To see the related clusters, click here.

Trojan-SMS.AndroidOS.Agent.ao - S0307

Trojan-SMS.AndroidOS.Agent.ao is Android malware. (Citation: Kaspersky-MobileMalware)

Internal MISP references

UUID a1867c56-8c86-455a-96ad-b0d5f7e2bc17 which can be used as unique global reference for Trojan-SMS.AndroidOS.Agent.ao - S0307 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0307 - webarchive
• https://securelist.com/mobile-malware-evolution-2013/58335/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0307

Related clusters

To see the related clusters, click here.

Trojan-SMS.AndroidOS.OpFake.a - S0308

Trojan-SMS.AndroidOS.OpFake.a is Android malware. (Citation: Kaspersky-MobileMalware)

Internal MISP references

UUID d89c132d-7752-4c7f-9372-954a71522985 which can be used as unique global reference for Trojan-SMS.AndroidOS.OpFake.a - S0308 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0308 - webarchive
• https://securelist.com/mobile-malware-evolution-2013/58335/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0308

Related clusters

To see the related clusters, click here.

Mis-Type - S0084

Mis-Type is a backdoor hybrid that was used in Operation Dust Storm by 2012.(Citation: Cylance Dust Storm)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mis-Type - S0084.

Known Synonyms
Mis-Type

Internal MISP references

UUID e1161124-f22e-487f-9d5f-ed8efc8dcd61 which can be used as unique global reference for Mis-Type - S0084 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0084 - webarchive
• https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0084
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

S-Type - S0085

S-Type is a backdoor that was used in Operation Dust Storm since at least 2013.(Citation: Cylance Dust Storm)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular S-Type - S0085.

Known Synonyms
S-Type

Internal MISP references

UUID 66b1dcde-17a0-4c7b-95fa-b08d430c2131 which can be used as unique global reference for S-Type - S0085 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0085 - webarchive
• https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0085
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Hi-Zor - S0087

Hi-Zor is a remote access tool (RAT) that has characteristics similar to Sakula. It was used in a campaign named INOCNATION. (Citation: Fidelis Hi-Zor)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hi-Zor - S0087.

Known Synonyms
Hi-Zor

Internal MISP references

UUID 5967cc93-57c9-404a-8ffd-097edfa7bdfc which can be used as unique global reference for Hi-Zor - S0087 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0087 - webarchive
• https://www.fidelissecurity.com/threatgeek/archive/introducing-hi-zor-rat/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0087
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Miner-C - S0133

Miner-C is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread. (Citation: Softpedia MinerC)

Internal MISP references

UUID 17dec760-9c8f-4f1b-9b4b-0ac47a453234 which can be used as unique global reference for Miner-C - S0133 in MISP communities and other software using the MISP galaxy

External references

• http://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml - webarchive
• https://attack.mitre.org/software/S0133 - webarchive

Associated metadata

Metadata key	Value
external_id	S0133

Related clusters

To see the related clusters, click here.

Seth-Locker - S0639

Seth-Locker is a ransomware with some remote control capabilities that has been in use since at least 2021. (Citation: Trend Micro Ransomware February 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Seth-Locker - S0639.

Known Synonyms
Seth-Locker

Internal MISP references

UUID f931a0b9-0361-4b1b-bacf-955062c35746 which can be used as unique global reference for Seth-Locker - S0639 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0639 - webarchive
• https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0639
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Aria-body - S0456

Aria-body is a custom backdoor that has been used by Naikon since approximately 2017.(Citation: CheckPoint Naikon May 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Aria-body - S0456.

Known Synonyms
Aria-body

Internal MISP references

UUID 3161d76a-e2b2-4b97-9906-24909b735386 which can be used as unique global reference for Aria-body - S0456 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0456 - webarchive
• https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0456
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

S.O.V.A. - S1062

S.O.V.A. is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. S.O.V.A., which is Russian for "owl", contains features not commonly found in Android malware, such as session cookie theft.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular S.O.V.A. - S1062.

Known Synonyms
S.O.V.A.

Internal MISP references

UUID 4b53eb01-57d7-47b4-b078-22766b002b36 which can be used as unique global reference for S.O.V.A. - S1062 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1062 - webarchive
• https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly - webarchive
• https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html - webarchive

Associated metadata

Metadata key	Value
external_id	S1062
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Android/Chuli.A - S0304

Android/Chuli.A is Android malware that was delivered to activist groups via a spearphishing email with an attachment. (Citation: Kaspersky-WUC)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Android/Chuli.A - S0304.

Known Synonyms
Android/Chuli.A

Internal MISP references

UUID d05f7357-4cbe-47ea-bf83-b8604226d533 which can be used as unique global reference for Android/Chuli.A - S0304 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0304 - webarchive
• https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0304
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

AndroidOS/MalLocker.B - S0524

AndroidOS/MalLocker.B is a variant of a ransomware family targeting Android devices. It prevents the user from interacting with the UI by displaying a screen containing a ransom note over all other windows. (Citation: Microsoft MalLockerB)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AndroidOS/MalLocker.B - S0524.

Known Synonyms
AndroidOS/MalLocker.B

Internal MISP references

UUID 9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce which can be used as unique global reference for AndroidOS/MalLocker.B - S0524 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0524 - webarchive
• https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0524
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Android/AdDisplay.Ashas - S0525

Android/AdDisplay.Ashas is a variant of adware that has been distributed through multiple apps in the Google Play Store. (Citation: WeLiveSecurity AdDisplayAshas)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Android/AdDisplay.Ashas - S0525.

Known Synonyms
Android/AdDisplay.Ashas

Internal MISP references

UUID f7e7b736-2cff-4c2a-9232-352cd383463a which can be used as unique global reference for Android/AdDisplay.Ashas - S0525 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0525 - webarchive
• https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0525
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Trojan.Mebromi - S0001

Trojan.Mebromi is BIOS-level malware that takes control of the victim before MBR. (Citation: Ge 2011)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Trojan.Mebromi - S0001.

Known Synonyms
Trojan.Mebromi

Internal MISP references

UUID c5e9cb46-aced-466c-85ea-7db5572ad9ec which can be used as unique global reference for Trojan.Mebromi - S0001 in MISP communities and other software using the MISP galaxy

External references

• http://www.symantec.com/connect/blogs/bios-threat-showing-again - webarchive
• https://attack.mitre.org/software/S0001 - webarchive

Associated metadata

Metadata key	Value
external_id	S0001
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

ANDROIDOS_ANSERVER.A - S0310

ANDROIDOS_ANSERVER.A is Android malware that is unique because it uses encrypted content within a blog site for command and control. (Citation: TrendMicro-Anserver)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ANDROIDOS_ANSERVER.A - S0310.

Known Synonyms
ANDROIDOS_ANSERVER.A

Internal MISP references

UUID 4bf6ba32-4165-42c1-b911-9c36165891c8 which can be used as unique global reference for ANDROIDOS_ANSERVER.A - S0310 in MISP communities and other software using the MISP galaxy

External references

• http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/ - webarchive
• https://attack.mitre.org/software/S0310 - webarchive

Associated metadata

Metadata key	Value
external_id	S0310
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Agent.btz - S0092

Agent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. (Citation: Securelist Agent.btz)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Agent.btz - S0092.

Known Synonyms
Agent.btz

Internal MISP references

UUID 40d3e230-ed32-469f-ba89-be70cc08ab39 which can be used as unique global reference for Agent.btz - S0092 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0092 - webarchive
• https://securelist.com/agent-btz-a-source-of-inspiration/58551/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0092
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Backdoor.Oldrea - S0093

Backdoor.Oldrea is a modular backdoor that used by Dragonfly against energy companies since at least 2013. Backdoor.Oldrea was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)(Citation: Symantec Dragonfly Sept 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Backdoor.Oldrea - S0093.

Known Synonyms
Backdoor.Oldrea
Havex

Internal MISP references

UUID 083bb47b-02c8-4423-81a2-f9ef58572974 which can be used as unique global reference for Backdoor.Oldrea - S0093 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0093 - webarchive
• https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
• https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers - webarchive
• https://vblocalhost.com/uploads/VB2021-Slowik.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0093
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Trojan.Karagany - S0094

Trojan.Karagany is a modular remote access tool used for recon and linked to Dragonfly. The source code for Trojan.Karagany originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. (Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)(Citation: Dragos DYMALLOY )

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Trojan.Karagany - S0094.

Known Synonyms
Karagany
Trojan.Karagany
xFrost

Internal MISP references

UUID 82cb34ba-02b5-432b-b2d2-07f55cbf674d which can be used as unique global reference for Trojan.Karagany - S0094 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0094 - webarchive
• https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
• https://www.dragos.com/threat/dymalloy/ - webarchive
• https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector - webarchive

Associated metadata

Metadata key	Value
external_id	S0094
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

macOS.OSAMiner - S1048

macOS.OSAMiner is a Monero mining trojan that was first observed in 2018; security researchers assessed macOS.OSAMiner may have been circulating since at least 2015. macOS.OSAMiner is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.(Citation: SentinelLabs reversing run-only applescripts 2021)(Citation: VMRay OSAMiner dynamic analysis 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular macOS.OSAMiner - S1048.

Known Synonyms
macOS.OSAMiner

Internal MISP references

UUID 2a59a237-1530-4d55-91f9-2aebf961cc37 which can be used as unique global reference for macOS.OSAMiner - S1048 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1048 - webarchive
• https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/ - webarchive
• https://www.vmray.com/cyber-security-blog/osaminer-uses-applescripts-evade-detection-malware-analysis-spotlight/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1048
mitre_platforms	['macOS']

Related clusters

To see the related clusters, click here.

OSX_OCEANLOTUS.D - S0352

OSX_OCEANLOTUS.D is a macOS backdoor used by APT32. First discovered in 2015, APT32 has continued to make improvements using a plugin architecture to extend capabilities, specifically using .dylib files. OSX_OCEANLOTUS.D can also determine it's permission level and execute according to access type (root or user).(Citation: Unit42 OceanLotus 2017)(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OSX_OCEANLOTUS.D - S0352.

Known Synonyms
Backdoor.MacOS.OCEANLOTUS.F
OSX_OCEANLOTUS.D

Internal MISP references

UUID b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29 which can be used as unique global reference for OSX_OCEANLOTUS.D - S0352 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0352 - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/ - webarchive
• https://unit42.paloaltonetworks.com/unit42-new-improved-macos-backdoor-oceanlotus/ - webarchive
• https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0352
mitre_platforms	['macOS']

Related clusters

To see the related clusters, click here.

LITTLELAMB.WOOLTEA - S1121

LITTLELAMB.WOOLTEA is a backdoor that was used by UNC5325 during Cutting Edge to deploy malware on targeted Ivanti Connect Secure VPNs and to establish persistence across system upgrades and patches.(Citation: Mandiant Cutting Edge Part 3 February 2024)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LITTLELAMB.WOOLTEA - S1121.

Known Synonyms
LITTLELAMB.WOOLTEA

Internal MISP references

UUID 19256855-65e9-48f2-8b74-9f3d0a994428 which can be used as unique global reference for LITTLELAMB.WOOLTEA - S1121 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1121 - webarchive
• https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence - webarchive

Associated metadata

Metadata key	Value
external_id	S1121
mitre_platforms	['Network']

Related clusters

To see the related clusters, click here.

OSX/Shlayer - S0402

OSX/Shlayer is a Trojan designed to install adware on macOS that was first discovered in 2018.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OSX/Shlayer - S0402.

Known Synonyms
Crossrider
OSX/Shlayer
Zshlayer

Internal MISP references

UUID f1314e75-ada8-49f4-b281-b1fb8b48f2a7 which can be used as unique global reference for OSX/Shlayer - S0402 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0402 - webarchive
• https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/ - webarchive
• https://blogs.vmware.com/security/2020/02/vmware-carbon-black-tau-threat-analysis-shlayer-macos.html - webarchive
• https://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/ - webarchive
• https://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/ - webarchive
• https://www.sentinelone.com/blog/coming-out-of-your-shell-from-shlayer-to-zshlayer/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0402
mitre_platforms	['macOS']

Related clusters

To see the related clusters, click here.

T9000 - S0098

T9000 is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. (Citation: FireEye admin@338 March 2014) (Citation: Palo Alto T9000 Feb 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular T9000 - S0098.

Known Synonyms
T9000

Internal MISP references

UUID 876f6a77-fbc5-4e13-ab1a-5611986730a3 which can be used as unique global reference for T9000 - S0098 in MISP communities and other software using the MISP galaxy

External references

• http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/ - webarchive
• https://attack.mitre.org/software/S0098 - webarchive
• https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0098
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BS2005 - S0014

BS2005 is malware that was used by Ke3chang in spearphishing campaigns since at least 2011. (Citation: Mandiant Operation Ke3chang November 2014)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BS2005 - S0014.

Known Synonyms
BS2005

Internal MISP references

UUID 67fc172a-36fa-4a35-88eb-4ba730ed52a6 which can be used as unique global reference for BS2005 - S0014 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0014 - webarchive
• https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs - webarchive

Associated metadata

Metadata key	Value
external_id	S0014
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Sys10 - S0060

Sys10 is a backdoor that was used throughout 2013 by Naikon. (Citation: Baumgartner Naikon 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sys10 - S0060.

Known Synonyms
Sys10

Internal MISP references

UUID 7f8730af-f683-423f-9ee1-5f6875a80481 which can be used as unique global reference for Sys10 - S0060 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0060 - webarchive
• https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0060
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Lurid - S0010

Lurid is a malware family that has been used by several groups, including PittyTiger, in targeted attacks as far back as 2006. (Citation: Villeneuve 2014) (Citation: Villeneuve 2011)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lurid - S0010.

Known Synonyms
Enfal
Lurid

Internal MISP references

UUID 251fbae2-78f6-4de7-84f6-194c727a64ad which can be used as unique global reference for Lurid - S0010 in MISP communities and other software using the MISP galaxy

External references

• http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_dissecting-lurid-apt.pdf - webarchive
• https://attack.mitre.org/software/S0010 - webarchive
• https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0010
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Dipsind - S0200

Dipsind is a malware family of backdoors that appear to be used exclusively by PLATINUM. (Citation: Microsoft PLATINUM April 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dipsind - S0200.

Known Synonyms
Dipsind

Internal MISP references

UUID e170995d-4f61-4f17-b60e-04f9a06ee517 which can be used as unique global reference for Dipsind - S0200 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0200 - webarchive
• https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0200
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

DressCode - S0300

DressCode is an Android malware family. (Citation: TrendMicro-DressCode)

Internal MISP references

UUID ff742eeb-1f90-4f5a-8b92-9d40fffd99ca which can be used as unique global reference for DressCode - S0300 in MISP communities and other software using the MISP galaxy

External references

• http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/ - webarchive
• https://attack.mitre.org/software/S0300 - webarchive

Associated metadata

Metadata key	Value
external_id	S0300

Related clusters

To see the related clusters, click here.

Carbanak - S0030

Carbanak is a full-featured, remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines. (Citation: Kaspersky Carbanak) (Citation: FireEye CARBANAK June 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Carbanak - S0030.

Known Synonyms
Anunak
Carbanak

Internal MISP references

UUID 72f54d66-675d-4587-9bd3-4ed09f9522e4 which can be used as unique global reference for Carbanak - S0030 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0030 - webarchive
• https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf - webarchive
• https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html - webarchive
• https://www.fox-it.com/en/news/blog/anunak-aka-carbanak-update/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0030
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

RIPTIDE - S0003

RIPTIDE is a proxy-aware backdoor used by APT12. (Citation: Moran 2014)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RIPTIDE - S0003.

Known Synonyms
RIPTIDE

Internal MISP references

UUID ad4f146f-e3ec-444a-ba71-24bffd7f0f8e which can be used as unique global reference for RIPTIDE - S0003 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0003 - webarchive
• https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0003
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

TinyZBot - S0004

TinyZBot is a bot written in C# that was developed by Cleaver. (Citation: Cylance Cleaver)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TinyZBot - S0004.

Known Synonyms
TinyZBot

Internal MISP references

UUID c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9 which can be used as unique global reference for TinyZBot - S0004 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0004 - webarchive
• https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0004
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

RobbinHood - S0400

RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.(Citation: CarbonBlack RobbinHood May 2019)(Citation: BaltimoreSun RobbinHood May 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RobbinHood - S0400.

Known Synonyms
RobbinHood

Internal MISP references

UUID 0a607c53-df52-45da-a75d-0e53df4dad5f which can be used as unique global reference for RobbinHood - S0400 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0400 - webarchive
• https://www.baltimoresun.com/politics/bs-md-ci-it-outage-20190507-story.html - webarchive
• https://www.carbonblack.com/2019/05/17/cb-tau-threat-intelligence-notification-robbinhood-ransomware-stops-181-windows-services-before-encryption/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0400
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

CosmicDuke - S0050

CosmicDuke is malware that was used by APT29 from 2010 to 2015. (Citation: F-Secure The Dukes)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CosmicDuke - S0050.

Known Synonyms
BotgenStudios
CosmicDuke
NemesisGemina
TinyBaron

Internal MISP references

UUID 2eb9b131-d333-4a48-9eb4-d8dec46c19ee which can be used as unique global reference for CosmicDuke - S0050 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0050 - webarchive
• https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0050
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Doki - S0600

Doki is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. Doki was used in conjunction with the ngrok Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Doki - S0600.

Known Synonyms
Doki

Internal MISP references

UUID 4f1c389e-a80e-4a3e-9b0e-9be8c91df64f which can be used as unique global reference for Doki - S0600 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0600 - webarchive
• https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0600
mitre_platforms	['Linux', 'Containers']

Related clusters

To see the related clusters, click here.

HTTPBrowser - S0070

HTTPBrowser is malware that has been used by several threat groups. (Citation: ThreatStream Evasion Analysis) (Citation: Dell TG-3390) It is believed to be of Chinese origin. (Citation: ThreatConnect Anthem)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HTTPBrowser - S0070.

Known Synonyms
HTTPBrowser
HttpDump
Token Control

Internal MISP references

UUID e066bf86-9cfb-407a-9d25-26fd5d91e360 which can be used as unique global reference for HTTPBrowser - S0070 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0070 - webarchive
• https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage - webarchive
• https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/ - webarchive
• https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop - webarchive

Associated metadata

Metadata key	Value
external_id	S0070
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Mivast - S0080

Mivast is a backdoor that has been used by Deep Panda. It was reportedly used in the Anthem breach. (Citation: Symantec Black Vine)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mivast - S0080.

Known Synonyms
Mivast

Internal MISP references

UUID fbb470da-1d44-4f29-bbb3-9efbe20f94a3 which can be used as unique global reference for Mivast - S0080 in MISP communities and other software using the MISP galaxy

External references

• http://www.symantec.com/security_response/writeup.jsp?docid=2015-020623-0740-99&tabid=2 - webarchive
• https://attack.mitre.org/software/S0080 - webarchive
• https://web.archive.org/web/20170823094836/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0080
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Hikit - S0009

Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.(Citation: Novetta-Axiom)(Citation: FireEye Hikit Rootkit)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hikit - S0009.

Known Synonyms
Hikit

Internal MISP references

UUID 95047f03-4811-4300-922e-1ba937d53a61 which can be used as unique global reference for Hikit - S0009 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0009 - webarchive
• https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf - webarchive
• https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0009
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Ngrok - S9000

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ngrok - S9000.

Known Synonyms
Ngrok

Internal MISP references

UUID 911fe4c3-444d-4e92-83b8-cc761ac5fd3b which can be used as unique global reference for Ngrok - S9000 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S9000 - webarchive

Associated metadata

Metadata key	Value
external_id	S9000
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Rover - S0090

Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. (Citation: Palo Alto Rover)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rover - S0090.

Known Synonyms
Rover

Internal MISP references

UUID 6b616fc1-1505-48e3-8b2c-0d19337bff38 which can be used as unique global reference for Rover - S0090 in MISP communities and other software using the MISP galaxy

External references

• http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/ - webarchive
• https://attack.mitre.org/software/S0090 - webarchive

Associated metadata

Metadata key	Value
external_id	S0090
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Ninja - S1100

Ninja is a malware developed in C++ that has been used by ToddyCat to penetrate networks and control remote systems since at least 2020. Ninja is possibly part of a post exploitation toolkit exclusively used by ToddyCat and allows multiple operators to work simultaneously on the same machine. Ninja has been used against government and military entities in Europe and Asia and observed in specific infection chains being deployed by Samurai.(Citation: Kaspersky ToddyCat June 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ninja - S1100.

Known Synonyms
Ninja

Internal MISP references

UUID 023254de-caaf-4a05-b2c7-e4e2f283f7a5 which can be used as unique global reference for Ninja - S1100 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1100 - webarchive
• https://securelist.com/toddycat/106799/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1100
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Taidoor - S0011

Taidoor is a remote access trojan (RAT) that has been used by Chinese government cyber actors to maintain access on victim networks.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021) Taidoor has primarily been used against Taiwanese government organizations since at least 2010.(Citation: TrendMicro Taidoor)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Taidoor - S0011.

Known Synonyms
Taidoor

Internal MISP references

UUID b143dfa4-e944-43ff-8429-bfffc308c517 which can be used as unique global reference for Taidoor - S0011 in MISP communities and other software using the MISP galaxy

External references

• http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf - webarchive
• https://attack.mitre.org/software/S0011 - webarchive
• https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a - webarchive

Associated metadata

Metadata key	Value
external_id	S0011
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

WEBC2 - S0109

WEBC2 is a family of backdoor malware used by APT1 as early as July 2006. WEBC2 backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WEBC2 - S0109.

Known Synonyms
WEBC2

Internal MISP references

UUID 1d808f62-cf63-4063-9727-ff6132514c22 which can be used as unique global reference for WEBC2 - S0109 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0109 - webarchive
• https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf - webarchive
• https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0109
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Derusbi - S0021

Derusbi is malware used by multiple Chinese APT groups.(Citation: Novetta-Axiom)(Citation: ThreatConnect Anthem) Both Windows and Linux variants have been observed.(Citation: Fidelis Turbo)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Derusbi - S0021.

Known Synonyms
Derusbi
PHOTO

Internal MISP references

UUID 94379dec-5c87-49db-b36e-66abc0b81344 which can be used as unique global reference for Derusbi - S0021 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0021 - webarchive
• https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2016/2016.02.29.Turbo_Campaign_Derusbi/TA_Fidelis_Turbo_1602_0.pdf - webarchive
• https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf - webarchive
• https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html - webarchive
• https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0021
mitre_platforms	['Windows', 'Linux']

Related clusters

To see the related clusters, click here.

JPIN - S0201

JPIN is a custom-built backdoor family used by PLATINUM. Evidence suggests developers of JPIN and Dipsind code bases were related in some way. (Citation: Microsoft PLATINUM April 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular JPIN - S0201.

Known Synonyms
JPIN

Internal MISP references

UUID de6cb631-52f6-4169-a73b-7965390b0c30 which can be used as unique global reference for JPIN - S0201 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0201 - webarchive
• https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0201
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

PoisonIvy - S0012

PoisonIvy is a popular remote access tool (RAT) that has been used by many groups.(Citation: FireEye Poison Ivy)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Darkmoon Aug 2005)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PoisonIvy - S0012.

Known Synonyms
Breut
Darkmoon
Poison Ivy
PoisonIvy

Internal MISP references

UUID b42378e0-f147-496f-992a-26a49705395b which can be used as unique global reference for PoisonIvy - S0012 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0012 - webarchive
• https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf - webarchive
• https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf - webarchive
• https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf - webarchive
• https://www.symantec.com/connect/blogs/life-mars-how-attackers-took-advantage-hope-alien-existance-new-darkmoon-campaign - webarchive
• https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99 - webarchive

Associated metadata

Metadata key	Value
external_id	S0012
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Kevin - S1020

Kevin is a backdoor implant written in C++ that has been used by HEXANE since at least June 2020, including in operations against organizations in Tunisia.(Citation: Kaspersky Lyceum October 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kevin - S1020.

Known Synonyms
Kevin

Internal MISP references

UUID e7863f5d-cb6a-4f81-8804-0a635eec160a which can be used as unique global reference for Kevin - S1020 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1020 - webarchive
• https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S1020
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Nerex - S0210

Nerex is a Trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Nerex May 2012)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nerex - S0210.

Known Synonyms
Nerex

Internal MISP references

UUID c251e4a5-9a2e-4166-8e42-442af75c3b9a which can be used as unique global reference for Nerex - S0210 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0210 - webarchive
• https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf - webarchive
• https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-3445-99 - webarchive

Associated metadata

Metadata key	Value
external_id	S0210
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BACKSPACE - S0031

BACKSPACE is a backdoor used by APT30 that dates back to at least 2005. (Citation: FireEye APT30)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BACKSPACE - S0031.

Known Synonyms
BACKSPACE
Lecna

Internal MISP references

UUID fb261c56-b80e-43a9-8351-c84081e7213d which can be used as unique global reference for BACKSPACE - S0031 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0031 - webarchive
• https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0031
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Dendroid - S0301

Dendroid is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.(Citation: Lookout-Dendroid)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dendroid - S0301.

Known Synonyms
Dendroid

Internal MISP references

UUID 317a2c10-d489-431e-b6b2-f0251fddc88e which can be used as unique global reference for Dendroid - S0301 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0301 - webarchive
• https://blog.lookout.com/blog/2014/03/06/dendroid/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0301
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

PlugX - S0013

PlugX is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation: Dell TG-3390)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PlugX - S0013.

Known Synonyms
DestroyRAT
Kaba
Korplug
PlugX
Sogu
TVT
Thoper

Internal MISP references

UUID 64fa0de0-6240-41f4-8638-f4ca7ed528fd which can be used as unique global reference for PlugX - S0013 in MISP communities and other software using the MISP galaxy

External references

• http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf - webarchive
• http://labs.lastline.com/an-analysis-of-plugx - webarchive
• http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/ - webarchive
• https://attack.mitre.org/software/S0013 - webarchive
• https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf - webarchive
• https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html - webarchive
• https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage - webarchive

Associated metadata

Metadata key	Value
external_id	S0013
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Squirrelwaffle - S1030

Squirrelwaffle is a loader that was first seen in September 2021. It has been used in spam email campaigns to deliver additional malware such as Cobalt Strike and the QakBot banking trojan.(Citation: ZScaler Squirrelwaffle Sep 2021)(Citation: Netskope Squirrelwaffle Oct 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Squirrelwaffle - S1030.

Known Synonyms
Squirrelwaffle

Internal MISP references

UUID 3c18ad16-9eaf-4649-984e-68551bff0d47 which can be used as unique global reference for Squirrelwaffle - S1030 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1030 - webarchive
• https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot - webarchive
• https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike - webarchive

Associated metadata

Metadata key	Value
external_id	S1030
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Fysbis - S0410

Fysbis is a Linux-based backdoor used by APT28 that dates back to at least 2014.(Citation: Fysbis Palo Alto Analysis)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Fysbis - S0410.

Known Synonyms
Fysbis

Internal MISP references

UUID 50d6688b-0985-4f3d-8cbe-0c796b30703b which can be used as unique global reference for Fysbis - S0410 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0410 - webarchive
• https://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0410
mitre_platforms	['Linux']

Related clusters

To see the related clusters, click here.

Shamoon - S0140

Shamoon is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. Shamoon has also been seen leveraging RawDisk and Filerase to carry out data wiping tasks. Analysis has linked Shamoon with Kwampirs based on multiple shared artifacts and coding patterns.(Citation: Cylera Kwampirs 2022) The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Shamoon - S0140.

Known Synonyms
Disttrack
Shamoon

Internal MISP references

UUID 8901ac23-6b50-410c-b0dd-d8174a86f9b3 which can be used as unique global reference for Shamoon - S0140 in MISP communities and other software using the MISP galaxy

External references

• http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/ - webarchive
• https://attack.mitre.org/software/S0140 - webarchive
• https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf - webarchive
• https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/ - webarchive
• https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html - webarchive
• https://www.symantec.com/connect/blogs/shamoon-attacks - webarchive

Associated metadata

Metadata key	Value
external_id	S0140
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Wiper - S0041

Wiper is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies. (Citation: Dell Wiper)

Internal MISP references

UUID a19c49aa-36fe-4c05-b817-23e1c7a7d085 which can be used as unique global reference for Wiper - S0041 in MISP communities and other software using the MISP galaxy

External references

• http://www.secureworks.com/cyber-threat-intelligence/threats/wiper-malware-analysis-attacking-korean-financial-sector/ - webarchive
• https://attack.mitre.org/software/S0041 - webarchive

Associated metadata

Metadata key	Value
external_id	S0041

Related clusters

To see the related clusters, click here.

MiniDuke - S0051

MiniDuke is malware that was used by APT29 from 2010 to 2015. The MiniDuke toolset consists of multiple downloader and backdoor components. The loader has been used with other MiniDuke components as well as in conjunction with CosmicDuke and PinchDuke. (Citation: F-Secure The Dukes)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MiniDuke - S0051.

Known Synonyms
MiniDuke

Internal MISP references

UUID 5e7ef1dc-7fb6-4913-ac75-e06113b59e0c which can be used as unique global reference for MiniDuke - S0051 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0051 - webarchive
• https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0051
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

POSHSPY - S0150

POSHSPY is a backdoor that has been used by APT29 since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. (Citation: FireEye POSHSPY April 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular POSHSPY - S0150.

Known Synonyms
POSHSPY

Internal MISP references

UUID 5e595477-2e78-4ce7-ae42-e0b059b17808 which can be used as unique global reference for POSHSPY - S0150 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0150 - webarchive
• https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0150
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Ixeshe - S0015

Ixeshe is a malware family that has been used since at least 2009 against targets in East Asia. (Citation: Moran 2013)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ixeshe - S0015.

Known Synonyms
Ixeshe

Internal MISP references

UUID 8beac7c2-48d2-4cd9-9b15-6c452f38ac06 which can be used as unique global reference for Ixeshe - S0015 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0015 - webarchive
• https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0015
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

PipeMon - S0501

PipeMon is a multi-stage modular backdoor used by Winnti Group.(Citation: ESET PipeMon May 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PipeMon - S0501.

Known Synonyms
PipeMon

Internal MISP references

UUID 8393dac0-0583-456a-9372-fd81691bca20 which can be used as unique global reference for PipeMon - S0501 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0501 - webarchive
• https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0501
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

HDoor - S0061

HDoor is malware that has been customized and used by the Naikon group. (Citation: Baumgartner Naikon 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HDoor - S0061.

Known Synonyms
Custom HDoor
HDoor

Internal MISP references

UUID 007b44b6-e4c5-480b-b5b9-56f2081b1b7b which can be used as unique global reference for HDoor - S0061 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0061 - webarchive
• https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0061
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Hildegard - S0601

Hildegard is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind Hildegard. (Citation: Unit 42 Hildegard Malware)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hildegard - S0601.

Known Synonyms
Hildegard

Internal MISP references

UUID 40a1b8ec-7295-416c-a6b1-68181d86f120 which can be used as unique global reference for Hildegard - S0601 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0601 - webarchive
• https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0601
mitre_platforms	['Linux', 'Containers', 'IaaS']

Related clusters

To see the related clusters, click here.

Mafalda - S1060

Mafalda is a flexible interactive implant that has been used by Metador. Security researchers assess the Mafalda name may be inspired by an Argentinian cartoon character that has been popular as a means of political commentary since the 1960s. (Citation: SentinelLabs Metador Sept 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mafalda - S1060.

Known Synonyms
Mafalda

Internal MISP references

UUID 3be1fb7a-0f7e-415e-8e3a-74a80d596e68 which can be used as unique global reference for Mafalda - S1060 in MISP communities and other software using the MISP galaxy

External references

• https://assets.sentinelone.com/sentinellabs22/metador#page=1 - webarchive
• https://attack.mitre.org/software/S1060 - webarchive

Associated metadata

Metadata key	Value
external_id	S1060
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SideTwist - S0610

SideTwist is a C-based backdoor that has been used by OilRig since at least 2021.(Citation: Check Point APT34 April 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SideTwist - S0610.

Known Synonyms
SideTwist

Internal MISP references

UUID df4cd566-ff2f-4d08-976d-8c86e95782de which can be used as unique global reference for SideTwist - S0610 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0610 - webarchive
• https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0610
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BISCUIT - S0017

BISCUIT is a backdoor that has been used by APT1 since as early as 2007. (Citation: Mandiant APT1)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BISCUIT - S0017.

Known Synonyms
BISCUIT

Internal MISP references

UUID b8eb28e4-48a6-40ae-951a-328714f75eda which can be used as unique global reference for BISCUIT - S0017 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0017 - webarchive
• https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf - webarchive
• https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0017
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Helminth - S0170

Helminth is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable. (Citation: Palo Alto OilRig May 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Helminth - S0170.

Known Synonyms
Helminth

Internal MISP references

UUID eff1a885-6f90-42a1-901f-eef6e7a1905e which can be used as unique global reference for Helminth - S0170 in MISP communities and other software using the MISP galaxy

External references

• http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/ - webarchive
• https://attack.mitre.org/software/S0170 - webarchive

Associated metadata

Metadata key	Value
external_id	S0170
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

hcdLoader - S0071

hcdLoader is a remote access tool (RAT) that has been used by APT18. (Citation: Dell Lateral Movement)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular hcdLoader - S0071.

Known Synonyms
hcdLoader

Internal MISP references

UUID 9e2bba94-950b-4fcf-8070-cb3f816c5f4e which can be used as unique global reference for hcdLoader - S0071 in MISP communities and other software using the MISP galaxy

External references

• http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/ - webarchive
• https://attack.mitre.org/software/S0071 - webarchive

Associated metadata

Metadata key	Value
external_id	S0071
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Elise - S0081

Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU. (Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Elise - S0081.

Known Synonyms
BKDR_ESILE
Elise
Page

Internal MISP references

UUID 7551188b-8f91-4d34-8350-0d0c57b2b913 which can be used as unique global reference for Elise - S0081 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0081 - webarchive
• https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf - webarchive
• https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0081
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Fakecalls - S1080

Fakecalls is an Android trojan, first detected in January 2021, that masquerades as South Korean banking apps. It has capabilities to intercept calls to banking institutions and even maintain realistic dialogues with the victim using pre-recorded audio snippets.(Citation: kaspersky_fakecalls_0422)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Fakecalls - S1080.

Known Synonyms
Fakecalls

Internal MISP references

UUID 429e1526-6293-495b-8808-af7f9a66c4be which can be used as unique global reference for Fakecalls - S1080 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1080 - webarchive
• https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1080
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Sykipot - S0018

Sykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims. (Citation: Alienvault Sykipot DOD Smart Cards) The group using this malware has also been referred to as Sykipot. (Citation: Blasco 2013)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sykipot - S0018.

Known Synonyms
Sykipot

Internal MISP references

UUID 6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9 which can be used as unique global reference for Sykipot - S0018 in MISP communities and other software using the MISP galaxy

External references

• http://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments - webarchive
• https://attack.mitre.org/software/S0018 - webarchive
• https://www.alienvault.com/open-threat-exchange/blog/sykipot-variant-hijacks-dod-and-windows-smart-cards - webarchive

Associated metadata

Metadata key	Value
external_id	S0018
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Volgmer - S0180

Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. (Citation: US-CERT Volgmer Nov 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Volgmer - S0180.

Known Synonyms
Volgmer

Internal MISP references

UUID 495b6cdb-7b5a-4fbc-8d33-e7ef68806d08 which can be used as unique global reference for Volgmer - S0180 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0180 - webarchive
• https://web.archive.org/web/20181126143456/https://www.symantec.com/security-center/writeup/2014-081811-3237-99?tabid=2 - webarchive
• https://www.us-cert.gov/ncas/alerts/TA17-318B - webarchive
• https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF - webarchive

Associated metadata

Metadata key	Value
external_id	S0180
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

NightClub - S1090

NightClub is a modular implant written in C++ that has been used by MoustachedBouncer since at least 2014.(Citation: MoustachedBouncer ESET August 2023)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NightClub - S1090.

Known Synonyms
NightClub

Internal MISP references

UUID 91c57ed3-7c32-4c68-b388-7db00cb8dac6 which can be used as unique global reference for NightClub - S1090 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1090 - webarchive
• https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1090
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Epic - S0091

Epic is a backdoor that has been used by Turla. (Citation: Kaspersky Turla)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Epic - S0091.

Known Synonyms
Epic
TadjMakhal
Tavdig
Wipbot
WorldCupSec

Internal MISP references

UUID 6b62e336-176f-417b-856a-8552dd8c44e1 which can be used as unique global reference for Epic - S0091 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0091 - webarchive
• https://securelist.com/the-epic-turla-operation/65545/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0091
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Regin - S0019

Regin is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some Regin timestamps date back to 2003. (Citation: Kaspersky Regin)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Regin - S0019.

Known Synonyms
Regin

Internal MISP references

UUID 4c59cce8-cb48-4141-b9f1-f646edfaadb0 which can be used as unique global reference for Regin - S0019 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0019 - webarchive
• https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0019
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Chaos - S0220

Chaos is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets. (Citation: Chaos Stolen Backdoor)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Chaos - S0220.

Known Synonyms
Chaos

Internal MISP references

UUID 5bcd5511-6756-4824-a692-e8bb109364af which can be used as unique global reference for Chaos - S0220 in MISP communities and other software using the MISP galaxy

External references

• http://gosecure.net/2018/02/14/chaos-stolen-backdoor-rising/ - webarchive
• https://attack.mitre.org/software/S0220 - webarchive

Associated metadata

Metadata key	Value
external_id	S0220
mitre_platforms	['Linux']

Related clusters

To see the related clusters, click here.

Uroburos - S0022

Uroburos is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the Turla toolset to collect intelligence on sensitive targets worldwide. Uroburos has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. Uroburos is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. Uroburos has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)(Citation: Kaspersky Turla)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Uroburos - S0022.

Known Synonyms
Snake
Uroburos

Internal MISP references

UUID 80a014ba-3fef-4768-990b-37d8bd10d7f4 which can be used as unique global reference for Uroburos - S0022 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0022 - webarchive
• https://securelist.com/the-epic-turla-operation/65545/ - webarchive
• https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0022
mitre_platforms	['Linux', 'Windows', 'macOS']

Related clusters

To see the related clusters, click here.

adbupd - S0202

adbupd is a backdoor used by PLATINUM that is similar to Dipsind. (Citation: Microsoft PLATINUM April 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular adbupd - S0202.

Known Synonyms
adbupd

Internal MISP references

UUID 0f1ad2ef-41d4-4b7a-9304-ddae68ea3005 which can be used as unique global reference for adbupd - S0202 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0202 - webarchive
• https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0202
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

CHOPSTICK - S0023

CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. (Citation: FireEye APT28) (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) (Citation: DOJ GRU Indictment Jul 2018) It is tracked separately from the X-Agent for Android.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CHOPSTICK - S0023.

Known Synonyms
Backdoor.SofacyX
CHOPSTICK
SPLM
X-Agent
Xagent
webhp

Internal MISP references

UUID ccd61dfc-b03f-4689-8c18-7c97eab08472 which can be used as unique global reference for CHOPSTICK - S0023 in MISP communities and other software using the MISP galaxy

External references

• http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf - webarchive
• https://attack.mitre.org/software/S0023 - webarchive
• https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf - webarchive
• https://www.justice.gov/file/1080281/download - webarchive
• https://www.symantec.com/blogs/election-security/apt28-espionage-military-government - webarchive
• https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0023
mitre_platforms	['Windows', 'Linux']

Related clusters

To see the related clusters, click here.

DroidJack - S0320

DroidJack is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. (Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DroidJack - S0320.

Known Synonyms
DroidJack

Internal MISP references

UUID 05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1 which can be used as unique global reference for DroidJack - S0320 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0320 - webarchive
• https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app - webarchive
• https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat - webarchive

Associated metadata

Metadata key	Value
external_id	S0320
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Hydraq - S0203

Hydraq is a data-theft trojan first used by Elderwood in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including APT17.(Citation: MicroFocus 9002 Aug 2016)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: ASERT Seven Pointed Dagger Aug 2015)(Citation: FireEye DeputyDog 9002 November 2013)(Citation: ProofPoint GoT 9002 Aug 2017)(Citation: FireEye Sunshop Campaign May 2013)(Citation: PaloAlto 3102 Sept 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hydraq - S0203.

Known Synonyms
9002 RAT
Aurora
HidraQ
HomeUnix
Homux
HydraQ
Hydraq
McRat
MdmBot
Roarur

Internal MISP references

UUID 73a4793a-ce55-4159-b2a6-208ef29b326f which can be used as unique global reference for Hydraq - S0203 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0203 - webarchive
• https://community.softwaregrp.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/228686#.WosBVKjwZPZ - webarchive
• https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/ - webarchive
• https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf - webarchive
• https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf - webarchive
• https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf - webarchive
• https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html - webarchive
• https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html - webarchive
• https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures - webarchive
• https://www.symantec.com/connect/blogs/trojanhydraq-incident - webarchive

Associated metadata

Metadata key	Value
external_id	S0203
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

ZeroT - S0230

ZeroT is a Trojan used by TA459, often in conjunction with PlugX. (Citation: Proofpoint TA459 April 2017) (Citation: Proofpoint ZeroT Feb 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ZeroT - S0230.

Known Synonyms
ZeroT

Internal MISP references

UUID 4ab44516-ad75-4e43-a280-705dc0420e2f which can be used as unique global reference for ZeroT - S0230 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0230 - webarchive
• https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx - webarchive
• https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts - webarchive

Associated metadata

Metadata key	Value
external_id	S0230
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Twitoor - S0302

Twitoor is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Twitoor - S0302.

Known Synonyms
Twitoor

Internal MISP references

UUID 41e3fd01-7b83-471f-835d-d2b1dc9a770c which can be used as unique global reference for Twitoor - S0302 in MISP communities and other software using the MISP galaxy

External references

• http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/ - webarchive
• https://attack.mitre.org/software/S0302 - webarchive

Associated metadata

Metadata key	Value
external_id	S0302
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Get2 - S0460

Get2 is a downloader written in C++ that has been used by TA505 to deliver FlawedGrace, FlawedAmmyy, Snatch and SDBbot.(Citation: Proofpoint TA505 October 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Get2 - S0460.

Known Synonyms
Get2

Internal MISP references

UUID 099ecff2-41b8-436d-843c-038a9aa9aa69 which can be used as unique global reference for Get2 - S0460 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0460 - webarchive
• https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader - webarchive

Associated metadata

Metadata key	Value
external_id	S0460
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

LOWBALL - S0042

LOWBALL is malware used by admin@338. It was used in August 2015 in email messages targeting Hong Kong-based media organizations. (Citation: FireEye admin@338)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LOWBALL - S0042.

Known Synonyms
LOWBALL

Internal MISP references

UUID 2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b which can be used as unique global reference for LOWBALL - S0042 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0042 - webarchive
• https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0042
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

ROKRAT - S0240

ROKRAT is a cloud-based remote access tool (RAT) used by APT37 to target victims in South Korea. APT37 has used ROKRAT during several campaigns from 2016 through 2021.(Citation: Talos ROKRAT)(Citation: Talos Group123)(Citation: Volexity InkySquid RokRAT August 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ROKRAT - S0240.

Known Synonyms
ROKRAT

Internal MISP references

UUID 60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f which can be used as unique global reference for ROKRAT - S0240 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0240 - webarchive
• https://blog.talosintelligence.com/2017/04/introducing-rokrat.html - webarchive
• https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html - webarchive
• https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html - webarchive
• https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0240
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Briba - S0204

Briba is a trojan used by Elderwood to open a backdoor and download files on to compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Briba May 2012)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Briba - S0204.

Known Synonyms
Briba

Internal MISP references

UUID 79499993-a8d6-45eb-b343-bf58dea5bdde which can be used as unique global reference for Briba - S0204 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0204 - webarchive
• https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf - webarchive
• https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-2843-99 - webarchive

Associated metadata

Metadata key	Value
external_id	S0204
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Dvmap - S0420

Dvmap is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.(Citation: SecureList DVMap June 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dvmap - S0420.

Known Synonyms
Dvmap

Internal MISP references

UUID 22b596a6-d288-4409-8520-5f2846f85514 which can be used as unique global reference for Dvmap - S0420 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0420 - webarchive
• https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0420
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Dyre - S0024

Dyre is a banking Trojan that has been used for financial gain. (Citation: Symantec Dyre June 2015)(Citation: Malwarebytes Dyreza November 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dyre - S0024.

Known Synonyms
Dyre
Dyreza
Dyzap

Internal MISP references

UUID 63c2a130-8a5b-452f-ad96-07cf0af12ffe which can be used as unique global reference for Dyre - S0024 in MISP communities and other software using the MISP galaxy

External references

• http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dyre-emerging-threat.pdf - webarchive
• https://attack.mitre.org/software/S0024 - webarchive
• https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/ - webarchive
• https://nakedsecurity.sophos.com/2015/04/20/notes-from-sophoslabs-dyreza-the-malware-that-discriminates-against-old-computers/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0024
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

CALENDAR - S0025

CALENDAR is malware used by APT1 that mimics legitimate Gmail Calendar traffic. (Citation: Mandiant APT1)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CALENDAR - S0025.

Known Synonyms
CALENDAR

Internal MISP references

UUID 5a84dc36-df0d-4053-9b7c-f0c388a57283 which can be used as unique global reference for CALENDAR - S0025 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0025 - webarchive
• https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0025
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BLINDINGCAN - S0520

BLINDINGCAN is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.(Citation: US-CERT BLINDINGCAN Aug 2020)(Citation: NHS UK BLINDINGCAN Aug 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BLINDINGCAN - S0520.

Known Synonyms
BLINDINGCAN

Internal MISP references

UUID 01dbc71d-0ee8-420d-abb4-3dfb6a4bf725 which can be used as unique global reference for BLINDINGCAN - S0520 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0520 - webarchive
• https://digital.nhs.uk/cyber-alerts/2020/cc-3603 - webarchive
• https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a - webarchive

Associated metadata

Metadata key	Value
external_id	S0520
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

OnionDuke - S0052

OnionDuke is malware that was used by APT29 from 2013 to 2015. (Citation: F-Secure The Dukes)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OnionDuke - S0052.

Known Synonyms
OnionDuke

Internal MISP references

UUID b136d088-a829-432c-ac26-5529c26d4c7e which can be used as unique global reference for OnionDuke - S0052 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0052 - webarchive
• https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0052
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Drovorub - S0502

Drovorub is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by APT28.(Citation: NSA/FBI Drovorub August 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Drovorub - S0502.

Known Synonyms
Drovorub

Internal MISP references

UUID 99164b38-1775-40bc-b77b-a2373b14540a which can be used as unique global reference for Drovorub - S0502 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0502 - webarchive
• https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF - webarchive

Associated metadata

Metadata key	Value
external_id	S0502
mitre_platforms	['Linux']

Related clusters

To see the related clusters, click here.

Naid - S0205

Naid is a trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Naid June 2012)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Naid - S0205.

Known Synonyms
Naid

Internal MISP references

UUID 48523614-309e-43bf-a2b8-705c2b45d7b2 which can be used as unique global reference for Naid - S0205 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0205 - webarchive
• https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf - webarchive
• https://www.symantec.com/security_response/writeup.jsp?docid=2012-061518-4639-99 - webarchive

Associated metadata

Metadata key	Value
external_id	S0205
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

GLOOXMAIL - S0026

GLOOXMAIL is malware used by APT1 that mimics legitimate Jabber/XMPP traffic. (Citation: Mandiant APT1)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GLOOXMAIL - S0026.

Known Synonyms
GLOOXMAIL
Trojan.GTALK

Internal MISP references

UUID f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2 which can be used as unique global reference for GLOOXMAIL - S0026 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0026 - webarchive
• https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0026
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Circles - S0602

Circles reportedly takes advantage of Signaling System 7 (SS7) weaknesses, the protocol suite used to route phone calls, to both track the location of mobile devices and intercept voice calls and SMS messages. It can be connected to a telecommunications company’s infrastructure or purchased as a cloud service. Circles has reportedly been linked to the NSO Group.(Citation: CitizenLab Circles)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Circles - S0602.

Known Synonyms
Circles

Internal MISP references

UUID c6a07c89-a24c-4c7e-9e3e-6153cc595e24 which can be used as unique global reference for Circles - S0602 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0602 - webarchive
• https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0602

Related clusters

To see the related clusters, click here.

DustySky - S0062

DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015. (Citation: DustySky) (Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DustySky - S0062.

Known Synonyms
DustySky
NeD Worm

Internal MISP references

UUID 687c23e4-4e25-4ee7-a870-c5e002511f54 which can be used as unique global reference for DustySky - S0062 in MISP communities and other software using the MISP galaxy

External references

• http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf - webarchive
• https://attack.mitre.org/software/S0062 - webarchive
• https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/ - webarchive
• https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0062
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

InvisiMole - S0260

InvisiMole is a modular spyware program that has been used by the InvisiMole Group since at least 2013. InvisiMole has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. Gamaredon Group infrastructure has been used to download and execute InvisiMole against a small number of victims.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular InvisiMole - S0260.

Known Synonyms
InvisiMole

Internal MISP references

UUID 47afe41c-4c08-485e-b062-c3bd209a1cce which can be used as unique global reference for InvisiMole - S0260 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0260 - webarchive
• https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/ - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0260
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Wiarp - S0206

Wiarp is a trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Wiarp May 2012)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Wiarp - S0206.

Known Synonyms
Wiarp

Internal MISP references

UUID 039814a0-88de-46c5-a4fb-b293db21880a which can be used as unique global reference for Wiarp - S0206 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0206 - webarchive
• https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf - webarchive
• https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-1005-99 - webarchive

Associated metadata

Metadata key	Value
external_id	S0206
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

OwaAuth - S0072

OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by Threat Group-3390. (Citation: Dell TG-3390)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OwaAuth - S0072.

Known Synonyms
OwaAuth

Internal MISP references

UUID a60657fa-e2e7-4f8f-8128-a882534ae8c5 which can be used as unique global reference for OwaAuth - S0072 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0072 - webarchive
• https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage - webarchive

Associated metadata

Metadata key	Value
external_id	S0072
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

RogueRobin - S0270

RogueRobin is a payload used by DarkHydrus that has been developed in PowerShell and C#. (Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RogueRobin - S0270.

Known Synonyms
RogueRobin

Internal MISP references

UUID 8ec6e3b4-b06d-4805-b6aa-af916acc2122 which can be used as unique global reference for RogueRobin - S0270 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0270 - webarchive
• https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/ - webarchive
• https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0270
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Vasport - S0207

Vasport is a trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Vasport May 2012)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Vasport - S0207.

Known Synonyms
Vasport

Internal MISP references

UUID f4d8a2d6-c684-453a-8a14-cf4a94f755c5 which can be used as unique global reference for Vasport - S0207 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0207 - webarchive
• https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf - webarchive
• https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-5938-99 - webarchive

Associated metadata

Metadata key	Value
external_id	S0207
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Zeroaccess - S0027

Zeroaccess is a kernel-mode Rootkit that attempts to add victims to the ZeroAccess botnet, often for monetary gain. (Citation: Sophos ZeroAccess)

Internal MISP references

UUID 552462b9-ae79-49dd-855c-5973014e157f which can be used as unique global reference for Zeroaccess - S0027 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0027 - webarchive
• https://sophosnews.files.wordpress.com/2012/04/zeroaccess2.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0027

Related clusters

To see the related clusters, click here.

SHIPSHAPE - S0028

SHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)

Internal MISP references

UUID b1de6916-7a22-4460-8d26-6b5483ffaa2a which can be used as unique global reference for SHIPSHAPE - S0028 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0028 - webarchive
• https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0028

Related clusters

To see the related clusters, click here.

Emissary - S0082

Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio. (Citation: Lotus Blossom Dec 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Emissary - S0082.

Known Synonyms
Emissary

Internal MISP references

UUID 0f862b01-99da-47cc-9bdb-db4a86a95bb1 which can be used as unique global reference for Emissary - S0082 in MISP communities and other software using the MISP galaxy

External references

• http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/ - webarchive
• https://attack.mitre.org/software/S0082 - webarchive

Associated metadata

Metadata key	Value
external_id	S0082
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

MirageFox - S0280

MirageFox is a remote access tool used against Windows systems. It appears to be an upgraded version of a tool known as Mirage, which is a RAT believed to originate in 2012. (Citation: APT15 Intezer June 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MirageFox - S0280.

Known Synonyms
MirageFox

Internal MISP references

UUID e3cedcfe-6515-4348-af65-7f2c4157bf0d which can be used as unique global reference for MirageFox - S0280 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0280 - webarchive
• https://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0280
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Pasam - S0208

Pasam is a trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Pasam May 2012)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pasam - S0208.

Known Synonyms
Pasam

Internal MISP references

UUID e811ff6a-4cef-4856-a6ae-a7daf9ed39ae which can be used as unique global reference for Pasam - S0208 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0208 - webarchive
• https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf - webarchive
• https://www.symantec.com/security_response/writeup.jsp?docid=2012-050412-4128-99 - webarchive

Associated metadata

Metadata key	Value
external_id	S0208
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Darkmoon - S0209

Internal MISP references

UUID 310f437b-29e7-4844-848c-7220868d074a which can be used as unique global reference for Darkmoon - S0209 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0209 - webarchive

Associated metadata

Metadata key	Value
external_id	S0209

Related clusters

To see the related clusters, click here.

Gooligan - S0290

Gooligan is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. Gooligan has been described as part of the Ghost Push Android malware family. (Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gooligan - S0290.

Known Synonyms
Ghost Push
Gooligan

Internal MISP references

UUID 20d56cd6-8dff-4871-9889-d32d254816de which can be used as unique global reference for Gooligan - S0290 in MISP communities and other software using the MISP galaxy

External references

• http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/ - webarchive
• https://attack.mitre.org/software/S0290 - webarchive
• https://blog.lookout.com/blog/2016/12/01/ghost-push-gooligan/ - webarchive
• https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi - webarchive

Associated metadata

Metadata key	Value
external_id	S0290
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

MazarBOT - S0303

MazarBOT is Android malware that was distributed via SMS in Denmark in 2016. (Citation: Tripwire-MazarBOT)

Internal MISP references

UUID 5ddf81ea-2c06-497b-8c30-5f1ab89a40f9 which can be used as unique global reference for MazarBOT - S0303 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0303 - webarchive
• https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0303

Related clusters

To see the related clusters, click here.

NetTraveler - S0033

NetTraveler is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013. (Citation: Kaspersky NetTraveler)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NetTraveler - S0033.

Known Synonyms
NetTraveler

Internal MISP references

UUID cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e which can be used as unique global reference for NetTraveler - S0033 in MISP communities and other software using the MISP galaxy

External references

• http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf - webarchive
• https://attack.mitre.org/software/S0033 - webarchive

Associated metadata

Metadata key	Value
external_id	S0033
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BUBBLEWRAP - S0043

BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. (Citation: FireEye admin@338)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BUBBLEWRAP - S0043.

Known Synonyms
BUBBLEWRAP
Backdoor.APT.FakeWinHTTPHelper

Internal MISP references

UUID 123bd7b3-675c-4b1a-8482-c55782b20e2b which can be used as unique global reference for BUBBLEWRAP - S0043 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0043 - webarchive
• https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0043
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

NETEAGLE - S0034

NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.” (Citation: FireEye APT30)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NETEAGLE - S0034.

Known Synonyms
NETEAGLE

Internal MISP references

UUID 53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2 which can be used as unique global reference for NETEAGLE - S0034 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0034 - webarchive
• https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0034
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Octopus - S0340

Octopus is a Windows Trojan written in the Delphi programming language that has been used by Nomadic Octopus to target government organizations in Central Asia since at least 2014.(Citation: Securelist Octopus Oct 2018)(Citation: Security Affairs DustSquad Oct 2018)(Citation: ESET Nomadic Octopus 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Octopus - S0340.

Known Synonyms
Octopus

Internal MISP references

UUID e2031fd5-02c2-43d4-85e2-b64f474530c2 which can be used as unique global reference for Octopus - S0340 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0340 - webarchive
• https://securelist.com/octopus-infested-seas-of-central-asia/88200/ - webarchive
• https://securityaffairs.co/wordpress/77165/apt/russia-linked-apt-dustsquad.html - webarchive
• https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0340
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Riltok - S0403

Riltok is banking malware that uses phishing popups to collect user credentials.(Citation: Kaspersky Riltok June 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Riltok - S0403.

Known Synonyms
Riltok

Internal MISP references

UUID c0efbaae-9e7d-4716-a92d-68373aac7424 which can be used as unique global reference for Riltok - S0403 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0403 - webarchive
• https://securelist.com/mobile-banker-riltok/91374/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0403
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

SPACESHIP - S0035

SPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SPACESHIP - S0035.

Known Synonyms
SPACESHIP

Internal MISP references

UUID 8b880b41-5139-4807-baa9-309690218719 which can be used as unique global reference for SPACESHIP - S0035 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0035 - webarchive
• https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0035
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SeaDuke - S0053

SeaDuke is malware that was used by APT29 from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with CozyCar. (Citation: F-Secure The Dukes)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SeaDuke - S0053.

Known Synonyms
SeaDaddy
SeaDesk
SeaDuke

Internal MISP references

UUID 67e6d66b-1b82-4699-b47a-e2efb6268d14 which can be used as unique global reference for SeaDuke - S0053 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0053 - webarchive
• https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0053
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

FrameworkPOS - S0503

FrameworkPOS is a point of sale (POS) malware used by FIN6 to steal payment card data from sytems that run physical POS devices.(Citation: SentinelOne FrameworkPOS September 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FrameworkPOS - S0503.

Known Synonyms
FrameworkPOS
Trinity

Internal MISP references

UUID 1cdbbcab-903a-414d-8eb0-439a97343737 which can be used as unique global reference for FrameworkPOS - S0503 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0503 - webarchive
• https://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0503

Related clusters

To see the related clusters, click here.

Melcoz - S0530

Melcoz is a banking trojan family built from the open source tool Remote Access PC. Melcoz was first observed in attacks in Brazil and since 2018 has spread to Chile, Mexico, Spain, and Portugal.(Citation: Securelist Brazilian Banking Malware July 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Melcoz - S0530.

Known Synonyms
Melcoz

Internal MISP references

UUID d3105fb5-c494-4fd1-a7be-414eab9e0c96 which can be used as unique global reference for Melcoz - S0530 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0530 - webarchive
• https://securelist.com/the-tetrade-brazilian-banking-malware/97779/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0530
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

zwShell - S0350

zwShell is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during Night Dragon.(Citation: McAfee Night Dragon)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular zwShell - S0350.

Known Synonyms
zwShell

Internal MISP references

UUID 54e8672d-5338-4ad1-954a-a7c986bee530 which can be used as unique global reference for zwShell - S0350 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0350 - webarchive
• https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0350
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BONDUPDATER - S0360

BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig Sep 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BONDUPDATER - S0360.

Known Synonyms
BONDUPDATER

Internal MISP references

UUID d5268dfb-ae2b-4e0e-ac07-02a460613d8a which can be used as unique global reference for BONDUPDATER - S0360 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0360 - webarchive
• https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/ - webarchive
• https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0360
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

FLASHFLOOD - S0036

FLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FLASHFLOOD - S0036.

Known Synonyms
FLASHFLOOD

Internal MISP references

UUID 43213480-78f7-4fb3-976f-d48f5f6a4c2a which can be used as unique global reference for FLASHFLOOD - S0036 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0036 - webarchive
• https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0036
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SHOTPUT - S0063

SHOTPUT is a custom backdoor used by APT3. (Citation: FireEye Clandestine Wolf)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SHOTPUT - S0063.

Known Synonyms
Backdoor.APT.CookieCutter
Pirpi
SHOTPUT

Internal MISP references

UUID 58adaaa8-f1e8-4606-9a08-422e568461eb which can be used as unique global reference for SHOTPUT - S0063 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0063 - webarchive
• https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html - webarchive
• https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0063
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Nebulae - S0630

Nebulae Is a backdoor that has been used by Naikon since at least 2020.(Citation: Bitdefender Naikon April 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nebulae - S0630.

Known Synonyms
Nebulae

Internal MISP references

UUID 22b17791-45bf-45c0-9322-ff1a0af5cf2b which can be used as unique global reference for Nebulae - S0630 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0630 - webarchive
• https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0630
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Stuxnet - S0603

Stuxnet was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) Stuxnet was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Stuxnet - S0603.

Known Synonyms
Stuxnet
W32.Stuxnet

Internal MISP references

UUID 088f1d6e-0783-47c6-9923-9c79b2af43d4 which can be used as unique global reference for Stuxnet - S0603 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0603 - webarchive
• https://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01 - webarchive
• https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf - webarchive
• https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf - webarchive
• https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0603
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

HAMMERTOSS - S0037

HAMMERTOSS is a backdoor that was used by APT29 in 2015. (Citation: FireEye APT29) (Citation: F-Secure The Dukes)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HAMMERTOSS - S0037.

Known Synonyms
HAMMERTOSS
HammerDuke
NetDuke

Internal MISP references

UUID 2daa14d6-cbf3-4308-bb8e-213c324a08e4 which can be used as unique global reference for HAMMERTOSS - S0037 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0037 - webarchive
• https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf - webarchive
• https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0037
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

ASPXSpy - S0073

ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. (Citation: Dell TG-3390)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ASPXSpy - S0073.

Known Synonyms
ASPXSpy
ASPXTool

Internal MISP references

UUID 56f46b17-8cfa-46c0-b501-dd52fef394e2 which can be used as unique global reference for ASPXSpy - S0073 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0073 - webarchive
• https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage - webarchive

Associated metadata

Metadata key	Value
external_id	S0073
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SamSam - S0370

SamSam is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.(Citation: US-CERT SamSam 2018)(Citation: Talos SamSam Jan 2018)(Citation: Sophos SamSam Apr 2018)(Citation: Symantec SamSam Oct 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SamSam - S0370.

Known Synonyms
SamSam
Samas

Internal MISP references

UUID 4d56e6e9-1a6d-46e3-896c-dfdf3cc96e62 which can be used as unique global reference for SamSam - S0370 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0370 - webarchive
• https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html - webarchive
• https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf - webarchive
• https://www.symantec.com/blogs/threat-intelligence/samsam-targeted-ransomware-attacks - webarchive
• https://www.us-cert.gov/ncas/alerts/AA18-337A - webarchive

Associated metadata

Metadata key	Value
external_id	S0370
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

StoneDrill - S0380

StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with APT33.(Citation: FireEye APT33 Sept 2017)(Citation: Kaspersky StoneDrill 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular StoneDrill - S0380.

Known Synonyms
DROPSHOT
StoneDrill

Internal MISP references

UUID 8dbadf80-468c-4a62-b817-4e4d8b606887 which can be used as unique global reference for StoneDrill - S0380 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0380 - webarchive
• https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf - webarchive
• https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0380
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Duqu - S0038

Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Duqu - S0038.

Known Synonyms
Duqu

Internal MISP references

UUID 68dca94f-c11d-421e-9287-7c501108e18c which can be used as unique global reference for Duqu - S0038 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0038 - webarchive
• https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0038
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Misdat - S0083

Misdat is a backdoor that was used in Operation Dust Storm from 2010 to 2011.(Citation: Cylance Dust Storm)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Misdat - S0083.

Known Synonyms
Misdat

Internal MISP references

UUID 0db09158-6e48-4e7c-8ce7-2b10b9c0c039 which can be used as unique global reference for Misdat - S0083 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0083 - webarchive
• https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0083
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Adups - S0309

Adups is software that was pre-installed onto Android devices, including those made by BLU Products. The software was reportedly designed to help a Chinese phone manufacturer monitor user behavior, transferring sensitive data to a Chinese server. (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)

Internal MISP references

UUID f6ac21b6-2592-400c-8472-10d0e2f1bfaf which can be used as unique global reference for Adups - S0309 in MISP communities and other software using the MISP galaxy

External references

• http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534 - webarchive
• https://attack.mitre.org/software/S0309 - webarchive
• https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0309

Related clusters

To see the related clusters, click here.

SQLRat - S0390

SQLRat is malware that executes SQL scripts to avoid leaving traditional host artifacts. FIN7 has been observed using it.(Citation: Flashpoint FIN 7 March 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SQLRat - S0390.

Known Synonyms
SQLRat

Internal MISP references

UUID 8fc6c9e7-a162-4ca4-a488-f1819e9a7b06 which can be used as unique global reference for SQLRat - S0390 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0390 - webarchive
• https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0390

Related clusters

To see the related clusters, click here.

JHUHUGIT - S0044

JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware. (Citation: Kaspersky Sofacy) (Citation: F-Secure Sofacy 2015) (Citation: ESET Sednit Part 1) (Citation: FireEye APT28 January 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular JHUHUGIT - S0044.

Known Synonyms
GAMEFISH
JHUHUGIT
JKEYSKW
Sednit
Seduploader
SofacyCarberp
Trojan.Sofacy

Internal MISP references

UUID 8ae43c46-57ef-47d5-a77a-eebb35628db2 which can be used as unique global reference for JHUHUGIT - S0044 in MISP communities and other software using the MISP galaxy

External references

• http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf - webarchive
• https://attack.mitre.org/software/S0044 - webarchive
• https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html - webarchive
• https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/ - webarchive
• https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/ - webarchive
• https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/ - webarchive
• https://www.symantec.com/blogs/election-security/apt28-espionage-military-government - webarchive
• https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0044
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SHARPSTATS - S0450

SHARPSTATS is a .NET backdoor used by MuddyWater since at least 2019.(Citation: TrendMicro POWERSTATS V3 June 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SHARPSTATS - S0450.

Known Synonyms
SHARPSTATS

Internal MISP references

UUID 73c4711b-407a-449d-b269-e3b1531fe7a9 which can be used as unique global reference for SHARPSTATS - S0450 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0450 - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0450
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

ADVSTORESHELL - S0045

ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 2)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ADVSTORESHELL - S0045.

Known Synonyms
ADVSTORESHELL
AZZY
EVILTOSS
NETUI
Sedreco

Internal MISP references

UUID fb575479-14ef-41e9-bfab-0b7cf10bec73 which can be used as unique global reference for ADVSTORESHELL - S0045 in MISP communities and other software using the MISP galaxy

External references

• http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf - webarchive
• https://attack.mitre.org/software/S0045 - webarchive
• https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0045
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Asacub - S0540

Asacub is a banking trojan that attempts to steal money from victims’ bank accounts. It attempts to do this by initiating a wire transfer via SMS message from compromised devices.(Citation: Securelist Asacub)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Asacub - S0540.

Known Synonyms
Asacub
Trojan-SMS.AndroidOS.Smaps

Internal MISP references

UUID a76b837b-93cc-417d-bf28-c47a6a284fa4 which can be used as unique global reference for Asacub - S0540 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0540 - webarchive
• https://securelist.com/the-rise-of-mobile-banker-asacub/87591/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0540
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Anchor - S0504

Anchor is one of a family of backdoor malware that has been used in conjunction with TrickBot on selected high profile targets since at least 2018.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Anchor - S0504.

Known Synonyms
Anchor
Anchor_DNS

Internal MISP references

UUID 5f1d4579-4e8f-48e7-860e-2da773ae432e which can be used as unique global reference for Anchor - S0504 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0504 - webarchive
• https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30 - webarchive
• https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware - webarchive

Associated metadata

Metadata key	Value
external_id	S0504
mitre_platforms	['Linux', 'Windows']

Related clusters

To see the related clusters, click here.

CloudDuke - S0054

CloudDuke is malware that was used by APT29 in 2015. (Citation: F-Secure The Dukes) (Citation: Securelist Minidionis July 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CloudDuke - S0054.

Known Synonyms
CloudDuke
CloudLook
MiniDionis

Internal MISP references

UUID cbf646f1-7db5-4dc6-808b-0094313949df which can be used as unique global reference for CloudDuke - S0054 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0054 - webarchive
• https://securelist.com/minidionis-one-more-apt-with-a-usage-of-cloud-drives/71443/ - webarchive
• https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0054
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Exodus - S0405

Exodus is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).(Citation: SWB Exodus March 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Exodus - S0405.

Known Synonyms
Exodus
Exodus One
Exodus Two

Internal MISP references

UUID 3049b2f2-e323-4cdb-91cb-13b37b904cbb which can be used as unique global reference for Exodus - S0405 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0405 - webarchive
• https://securitywithoutborders.org/blog/2019/03/29/exodus.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0405
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Avaddon - S0640

Avaddon is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.(Citation: Awake Security Avaddon)(Citation: Arxiv Avaddon Feb 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Avaddon - S0640.

Known Synonyms
Avaddon

Internal MISP references

UUID 58c5a3a1-928f-4094-9e98-a5a4e56dd5f3 which can be used as unique global reference for Avaddon - S0640 in MISP communities and other software using the MISP galaxy

External references

• https://arxiv.org/pdf/2102.04796.pdf - webarchive
• https://attack.mitre.org/software/S0640 - webarchive
• https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0640
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

CozyCar - S0046

CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. (Citation: F-Secure The Dukes)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CozyCar - S0046.

Known Synonyms
Cozer
CozyBear
CozyCar
CozyDuke
EuroAPT

Internal MISP references

UUID e6ef745b-077f-42e1-a37d-29eecff9c754 which can be used as unique global reference for CozyCar - S0046 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0046 - webarchive
• https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0046
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

ELMER - S0064

ELMER is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by APT16. (Citation: FireEye EPS Awakens Part 2)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ELMER - S0064.

Known Synonyms
ELMER

Internal MISP references

UUID 3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c which can be used as unique global reference for ELMER - S0064 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0064 - webarchive
• https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0064
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Gustuff - S0406

Gustuff is mobile malware designed to steal users' banking and virtual currency credentials.(Citation: Talos Gustuff Apr 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gustuff - S0406.

Known Synonyms
Gustuff

Internal MISP references

UUID ff8e0c38-be47-410f-a2d3-a3d24a87c617 which can be used as unique global reference for Gustuff - S0406 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0406 - webarchive
• https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0406
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Industroyer - S0604

Industroyer is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) Industroyer was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Industroyer - S0604.

Known Synonyms
CRASHOVERRIDE
Industroyer
Win32/Industroyer

Internal MISP references

UUID e401d4fe-f0c9-44f0-98e6-f93487678808 which can be used as unique global reference for Industroyer - S0604 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0604 - webarchive
• https://dragos.com/blog/crashoverride/CrashOverride-01.pdf - webarchive
• https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0604
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BBK - S0470

BBK is a downloader that has been used by BRONZE BUTLER since at least 2019.(Citation: Trend Micro Tick November 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BBK - S0470.

Known Synonyms
BBK

Internal MISP references

UUID f0fc920e-57a3-4af5-89be-9ea594c8b1ea which can be used as unique global reference for BBK - S0470 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0470 - webarchive
• https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0470
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Monokle - S0407

Monokle is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.(Citation: Lookout-Monokle)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Monokle - S0407.

Known Synonyms
Monokle

Internal MISP references

UUID 6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65 which can be used as unique global reference for Monokle - S0407 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0407 - webarchive
• https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0407
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Sakula - S0074

Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015. (Citation: Dell Sakula)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sakula - S0074.

Known Synonyms
Sakula
Sakurel
VIPER

Internal MISP references

UUID 96b08451-b27a-4ff6-893f-790e26393a8e which can be used as unique global reference for Sakula - S0074 in MISP communities and other software using the MISP galaxy

External references

• http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/ - webarchive
• https://attack.mitre.org/software/S0074 - webarchive

Associated metadata

Metadata key	Value
external_id	S0074
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Cerberus - S0480

Cerberus is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of Cerberus claim was used in private operations for two years.(Citation: Threat Fabric Cerberus)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cerberus - S0480.

Known Synonyms
Cerberus

Internal MISP references

UUID 037f44f0-0c07-4c7f-b40e-0325b5b228a9 which can be used as unique global reference for Cerberus - S0480 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0480 - webarchive
• https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0480
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

PinchDuke - S0048

PinchDuke is malware that was used by APT29 from 2008 to 2010. (Citation: F-Secure The Dukes)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PinchDuke - S0048.

Known Synonyms
PinchDuke

Internal MISP references

UUID ae9d818d-95d0-41da-b045-9cabea1ca164 which can be used as unique global reference for PinchDuke - S0048 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0048 - webarchive
• https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0048
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

GeminiDuke - S0049

GeminiDuke is malware that was used by APT29 from 2009 to 2012. (Citation: F-Secure The Dukes)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GeminiDuke - S0049.

Known Synonyms
GeminiDuke

Internal MISP references

UUID 199463de-d9be-46d6-bb41-07234c1dd5a6 which can be used as unique global reference for GeminiDuke - S0049 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0049 - webarchive
• https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0049
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Machete - S0409

Machete is a cyber espionage toolset used by Machete. It is a Python-based backdoor targeting Windows machines that was first observed in 2010.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)(Citation: 360 Machete Sep 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Machete - S0409.

Known Synonyms
Machete
Pyark

Internal MISP references

UUID 35cd1d01-1ede-44d2-b073-a264d727bc04 which can be used as unique global reference for Machete - S0409 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0409 - webarchive
• https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/ - webarchive
• https://securelist.com/el-machete/66108/ - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0409
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

DoubleAgent - S0550

DoubleAgent is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.(Citation: Lookout Uyghur Campaign)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DoubleAgent - S0550.

Known Synonyms
DoubleAgent

Internal MISP references

UUID 3d6c4389-3489-40a3-beda-c56e650b6f68 which can be used as unique global reference for DoubleAgent - S0550 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0550 - webarchive
• https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0550
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

RARSTONE - S0055

RARSTONE is malware used by the Naikon group that has some characteristics similar to PlugX. (Citation: Aquino RARSTONE)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RARSTONE - S0055.

Known Synonyms
RARSTONE

Internal MISP references

UUID 8c553311-0baa-4146-997a-f79acef3d831 which can be used as unique global reference for RARSTONE - S0055 in MISP communities and other software using the MISP galaxy

External references

• http://blog.trendmicro.com/trendlabs-security-intelligence/rarstone-found-in-targeted-attacks/ - webarchive
• https://attack.mitre.org/software/S0055 - webarchive

Associated metadata

Metadata key	Value
external_id	S0055
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

TEARDROP - S0560

TEARDROP is a memory-only dropper that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was likely used by APT29 since at least May 2020.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Deep Dive Solorigate January 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TEARDROP - S0560.

Known Synonyms
TEARDROP

Internal MISP references

UUID 32f49626-87f4-4d6c-8f59-a0dca953fe26 which can be used as unique global reference for TEARDROP - S0560 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0560 - webarchive
• https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - webarchive
• https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0560
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

EKANS - S0605

EKANS is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. EKANS has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in MegaCortex.(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EKANS - S0605.

Known Synonyms
EKANS
SNAKEHOSE

Internal MISP references

UUID 00e7d565-9883-4ee5-b642-8fd17fd6a3f5 which can be used as unique global reference for EKANS - S0605 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0605 - webarchive
• https://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/ - webarchive
• https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/ - webarchive
• https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0605
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

ViperRAT - S0506

ViperRAT is sophisticated surveillanceware that has been in operation since at least 2015 and was used to target the Israeli Defense Force.(Citation: Lookout ViperRAT)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ViperRAT - S0506.

Known Synonyms
ViperRAT

Internal MISP references

UUID f666e17c-b290-43b3-8947-b96bd5148fbb which can be used as unique global reference for ViperRAT - S0506 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0506 - webarchive
• https://blog.lookout.com/viperrat-mobile-apt - webarchive

Associated metadata

Metadata key	Value
external_id	S0506
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

QakBot - S0650

QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably ProLock and Egregor.(Citation: Trend Micro Qakbot December 2020)(Citation: Red Canary Qbot)(Citation: Kaspersky QakBot September 2021)(Citation: ATT QakBot April 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QakBot - S0650.

Known Synonyms
Pinkslipbot
QBot
QakBot
QuackBot

Internal MISP references

UUID edc5e045-5401-42bb-ad92-52b5b2ee0de9 which can be used as unique global reference for QakBot - S0650 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0650 - webarchive
• https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot - webarchive
• https://redcanary.com/threat-detection-report/threats/qbot/ - webarchive
• https://securelist.com/qakbot-technical-analysis/103931/ - webarchive
• https://success.trendmicro.com/solution/000283381 - webarchive

Associated metadata

Metadata key	Value
external_id	S0650
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BitPaymer - S0570

BitPaymer is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. BitPaymer uses a unique encryption key, ransom note, and contact information for each operation. BitPaymer has several indicators suggesting overlap with the Dridex malware and is often delivered via Dridex.(Citation: Crowdstrike Indrik November 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BitPaymer - S0570.

Known Synonyms
BitPaymer
FriedEx
wp_encrypt

Internal MISP references

UUID fa766a65-5136-4ff3-8429-36d08eaa0100 which can be used as unique global reference for BitPaymer - S0570 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0570 - webarchive
• https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0570
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

eSurv - S0507

eSurv is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.(Citation: Lookout eSurv)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular eSurv - S0507.

Known Synonyms
eSurv

Internal MISP references

UUID 680f680c-eef9-4f8a-b5f5-f451bf47e403 which can be used as unique global reference for eSurv - S0507 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0507 - webarchive
• https://blog.lookout.com/esurv-research - webarchive

Associated metadata

Metadata key	Value
external_id	S0507
mitre_platforms	['Android', 'iOS']

Related clusters

To see the related clusters, click here.

SslMM - S0058

SslMM is a full-featured backdoor used by Naikon that has multiple variants. (Citation: Baumgartner Naikon 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SslMM - S0058.

Known Synonyms
SslMM

Internal MISP references

UUID 2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421 which can be used as unique global reference for SslMM - S0058 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0058 - webarchive
• https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0058
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

FakeSpy - S0509

FakeSpy is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.(Citation: Cybereason FakeSpy)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FakeSpy - S0509.

Known Synonyms
FakeSpy

Internal MISP references

UUID 838f647e-8ff8-48bd-bbd5-613cee7736cb which can be used as unique global reference for FakeSpy - S0509 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0509 - webarchive
• https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world - webarchive

Associated metadata

Metadata key	Value
external_id	S0509
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

WinMM - S0059

WinMM is a full-featured, simple backdoor used by Naikon. (Citation: Baumgartner Naikon 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WinMM - S0059.

Known Synonyms
WinMM

Internal MISP references

UUID 22addc7b-b39f-483d-979a-1b35147da5de which can be used as unique global reference for WinMM - S0059 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0059 - webarchive
• https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0059
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Clambling - S0660

Clambling is a modular backdoor written in C++ that has been used by Threat Group-3390 since at least 2017.(Citation: Trend Micro DRBControl February 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Clambling - S0660.

Known Synonyms
Clambling

Internal MISP references

UUID 6e95feb1-78ee-48d3-b421-4d76663b5c49 which can be used as unique global reference for Clambling - S0660 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0660 - webarchive
• https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0660
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

WarzoneRAT - S0670

WarzoneRAT is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WarzoneRAT - S0670.

Known Synonyms
Ave Maria
Warzone
WarzoneRAT

Internal MISP references

UUID fde19a18-e502-467f-be14-58c71b4e7f4b which can be used as unique global reference for WarzoneRAT - S0670 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0670 - webarchive
• https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/ - webarchive
• https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique - webarchive

Associated metadata

Metadata key	Value
external_id	S0670
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

KillDisk - S0607

KillDisk is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of BlackEnergy malware during cyber attacks against Ukraine in 2015. KillDisk has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some KillDisk variants.(Citation: KillDisk Ransomware)(Citation: ESEST Black Energy Jan 2016)(Citation: Trend Micro KillDisk 1)(Citation: Trend Micro KillDisk 2)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KillDisk - S0607.

Known Synonyms
KillDisk
Win32/KillDisk.NBB
Win32/KillDisk.NBC
Win32/KillDisk.NBD
Win32/KillDisk.NBH
Win32/KillDisk.NBI

Internal MISP references

UUID e221eb77-1502-4129-af1d-fe1ad55e7ec6 which can be used as unique global reference for KillDisk - S0607 in MISP communities and other software using the MISP galaxy

External references

• http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/ - webarchive
• https://attack.mitre.org/software/S0607 - webarchive
• https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/ - webarchive
• https://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html - webarchive
• https://www.trendmicro.com/en_us/research/18/f/new-killdisk-variant-hits-latin-american-financial-organizations-again.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0607
mitre_platforms	['Linux', 'Windows']

Related clusters

To see the related clusters, click here.

FakeM - S0076

FakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic. (Citation: Scarlet Mimic Jan 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FakeM - S0076.

Known Synonyms
FakeM

Internal MISP references

UUID bb3c1098-d654-4620-bf40-694386d28921 which can be used as unique global reference for FakeM - S0076 in MISP communities and other software using the MISP galaxy

External references

• http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/ - webarchive
• https://attack.mitre.org/software/S0076 - webarchive

Associated metadata

Metadata key	Value
external_id	S0076
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

pngdowner - S0067

pngdowner is malware used by Putter Panda. It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple "download-and- execute" utility. (Citation: CrowdStrike Putter Panda)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular pngdowner - S0067.

Known Synonyms
pngdowner

Internal MISP references

UUID 800bdfba-6d66-480f-9f45-15845c05cb5d which can be used as unique global reference for pngdowner - S0067 in MISP communities and other software using the MISP galaxy

External references

• http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf - webarchive
• https://attack.mitre.org/software/S0067 - webarchive

Associated metadata

Metadata key	Value
external_id	S0067
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Conficker - S0608

Conficker is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.(Citation: SANS Conficker) In 2016, a variant of Conficker made its way on computers and removable disk drives belonging to a nuclear power plant.(Citation: Conficker Nuclear Power Plant)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Conficker - S0608.

Known Synonyms
Conficker
Downadup
Kido

Internal MISP references

UUID 58eddbaf-7416-419a-ad7b-e65b9d4c3b55 which can be used as unique global reference for Conficker - S0608 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0608 - webarchive
• https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml - webarchive
• https://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm - webarchive

Associated metadata

Metadata key	Value
external_id	S0608
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

LitePower - S0680

LitePower is a downloader and second stage malware that has been used by WIRTE since at least 2021.(Citation: Kaspersky WIRTE November 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LitePower - S0680.

Known Synonyms
LitePower

Internal MISP references

UUID 9020f5c7-efde-4125-a4f1-1b70f1274ddd which can be used as unique global reference for LitePower - S0680 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0680 - webarchive
• https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044 - webarchive

Associated metadata

Metadata key	Value
external_id	S0680
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

ZLib - S0086

ZLib is a full-featured backdoor that was used as a second-stage implant during Operation Dust Storm since at least 2014. ZLib is malware and should not be confused with the legitimate compression library from which its name is derived.(Citation: Cylance Dust Storm)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ZLib - S0086.

Known Synonyms
ZLib

Internal MISP references

UUID 166c0eca-02fd-424a-92c0-6b5106994d31 which can be used as unique global reference for ZLib - S0086 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0086 - webarchive
• https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0086
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

httpclient - S0068

httpclient is malware used by Putter Panda. It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool. (Citation: CrowdStrike Putter Panda)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular httpclient - S0068.

Known Synonyms
httpclient

Internal MISP references

UUID e8268361-a599-4e45-bd3f-71c8c7e700c0 which can be used as unique global reference for httpclient - S0068 in MISP communities and other software using the MISP galaxy

External references

• http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf - webarchive
• https://attack.mitre.org/software/S0068 - webarchive

Associated metadata

Metadata key	Value
external_id	S0068
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BLACKCOFFEE - S0069

BLACKCOFFEE is malware that has been used by several Chinese groups since at least 2013. (Citation: FireEye APT17) (Citation: FireEye Periscope March 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BLACKCOFFEE - S0069.

Known Synonyms
BLACKCOFFEE

Internal MISP references

UUID d69c8146-ab35-4d50-8382-6fc80e641d43 which can be used as unique global reference for BLACKCOFFEE - S0069 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0069 - webarchive
• https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html - webarchive
• https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0069
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

TRITON - S0609

This entry was deprecated as it was inadvertently added to Enterprise; a similar Software entry was created for ATT&CK for ICS.

TRITON is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. TRITON was deployed against at least one target in the Middle East. (Citation: FireEye TRITON 2017)(Citation: FireEye TRITON 2018)(Citation: Dragos TRISIS)(Citation: CISA HatMan)(Citation: FireEye TEMP.Veles 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TRITON - S0609.

Known Synonyms
HatMan
TRISIS
TRITON

Internal MISP references

UUID 93ae2edf-a598-4d2d-acd7-bcae0c021923 which can be used as unique global reference for TRITON - S0609 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0609 - webarchive
• https://us-cert.cisa.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf - webarchive
• https://www.dragos.com/wp-content/uploads/TRISIS-01.pdf - webarchive
• https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html - webarchive
• https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-TRITON-and-tristation.html - webarchive
• https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0609
mitre_platforms	['Windows']

CallMe - S0077

CallMe is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell. (Citation: Scarlet Mimic Jan 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CallMe - S0077.

Known Synonyms
CallMe

Internal MISP references

UUID cb7bcf6f-085f-41db-81ee-4b68481661b5 which can be used as unique global reference for CallMe - S0077 in MISP communities and other software using the MISP galaxy

External references

• http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/ - webarchive
• https://attack.mitre.org/software/S0077 - webarchive

Associated metadata

Metadata key	Value
external_id	S0077
mitre_platforms	['macOS']

Related clusters

To see the related clusters, click here.

Psylo - S0078

Psylo is a shellcode-based Trojan that has been used by Scarlet Mimic. It has similar characteristics as FakeM. (Citation: Scarlet Mimic Jan 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Psylo - S0078.

Known Synonyms
Psylo

Internal MISP references

UUID dfb5fa9b-3051-4b97-8035-08f80aef945b which can be used as unique global reference for Psylo - S0078 in MISP communities and other software using the MISP galaxy

External references

• http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/ - webarchive
• https://attack.mitre.org/software/S0078 - webarchive

Associated metadata

Metadata key	Value
external_id	S0078
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

MobileOrder - S0079

MobileOrder is a Trojan intended to compromise Android mobile devices. It has been used by Scarlet Mimic. (Citation: Scarlet Mimic Jan 2016)

Internal MISP references

UUID 463f68f1-5cde-4dc2-a831-68b73488f8f4 which can be used as unique global reference for MobileOrder - S0079 in MISP communities and other software using the MISP galaxy

External references

• http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/ - webarchive
• https://attack.mitre.org/software/S0079 - webarchive

Associated metadata

Metadata key	Value
external_id	S0079

Related clusters

To see the related clusters, click here.

Kasidet - S0088

Kasidet is a backdoor that has been dropped by using malicious VBA macros. (Citation: Zscaler Kasidet)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kasidet - S0088.

Known Synonyms
Kasidet

Internal MISP references

UUID 26fed817-e7bf-41f9-829a-9075ffac45c2 which can be used as unique global reference for Kasidet - S0088 in MISP communities and other software using the MISP galaxy

External references

• http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html - webarchive
• https://attack.mitre.org/software/S0088 - webarchive

Associated metadata

Metadata key	Value
external_id	S0088
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BlackEnergy - S0089

BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. (Citation: F-Secure BlackEnergy 2014)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BlackEnergy - S0089.

Known Synonyms
Black Energy
BlackEnergy

Internal MISP references

UUID 54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4 which can be used as unique global reference for BlackEnergy - S0089 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0089 - webarchive
• https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0089
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

H1N1 - S0132

H1N1 is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality. (Citation: Cisco H1N1 Part 1)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular H1N1 - S0132.

Known Synonyms
H1N1

Internal MISP references

UUID f8dfbc54-b070-4224-b560-79aaa5f835bd which can be used as unique global reference for H1N1 - S0132 in MISP communities and other software using the MISP galaxy

External references

• http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities - webarchive
• https://attack.mitre.org/software/S0132 - webarchive

Associated metadata

Metadata key	Value
external_id	S0132
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SLIGHTPULSE - S1110

SLIGHTPULSE is a web shell that was used by APT5 as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) entities.(Citation: Mandiant Pulse Secure Zero-Day April 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SLIGHTPULSE - S1110.

Known Synonyms
SLIGHTPULSE

Internal MISP references

UUID d1008b78-960c-4b36-bdc4-39a734e1e4e3 which can be used as unique global reference for SLIGHTPULSE - S1110 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1110 - webarchive
• https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day - webarchive

Associated metadata

Metadata key	Value
external_id	S1110
mitre_platforms	['Network', 'Linux']

Related clusters

To see the related clusters, click here.

LoFiSe - S1101

LoFiSe has been used by ToddyCat since at least 2023 to identify and collect files of interest on targeted systems.(Citation: Kaspersky ToddyCat Check Logs October 2023)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LoFiSe - S1101.

Known Synonyms
LoFiSe

Internal MISP references

UUID 452da2d9-706c-4185-ad6f-f5edaf4b9f48 which can be used as unique global reference for LoFiSe - S1101 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1101 - webarchive
• https://securelist.com/toddycat-keep-calm-and-check-logs/110696/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1101
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Tarrask - S1011

Tarrask is malware that has been used by HAFNIUM since at least August 2021. Tarrask was designed to evade digital defenses and maintain persistence by generating concealed scheduled tasks.(Citation: Tarrask scheduled task)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tarrask - S1011.

Known Synonyms
Tarrask

Internal MISP references

UUID 988976ff-beeb-4fb5-b07d-ca7437ea66e8 which can be used as unique global reference for Tarrask - S1011 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1011 - webarchive
• https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1011
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

FRAMESTING - S1120

FRAMESTING is a Python web shell that was used during Cutting Edge to embed into an Ivanti Connect Secure Python package for command execution.(Citation: Mandiant Cutting Edge Part 2 January 2024)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FRAMESTING - S1120.

Known Synonyms
FRAMESTING

Internal MISP references

UUID bcaae558-9697-47a2-9ec7-c75000ddf58c which can be used as unique global reference for FRAMESTING - S1120 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1120 - webarchive
• https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation - webarchive

Associated metadata

Metadata key	Value
external_id	S1120
mitre_platforms	['Network']

Related clusters

To see the related clusters, click here.

ROCKBOOT - S0112

ROCKBOOT is a Bootkit that has been used by an unidentified, suspected China-based group. (Citation: FireEye Bootkits)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ROCKBOOT - S0112.

Known Synonyms
ROCKBOOT

Internal MISP references

UUID cba78a1c-186f-4112-9e6a-be1839f030f7 which can be used as unique global reference for ROCKBOOT - S0112 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0112 - webarchive
• https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0112
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

DnsSystem - S1021

DnsSystem is a .NET based DNS backdoor, which is a customized version of the open source tool DIG.net, that has been used by HEXANE since at least June 2022.(Citation: Zscaler Lyceum DnsSystem June 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DnsSystem - S1021.

Known Synonyms
DnsSystem

Internal MISP references

UUID 8a2867f9-e8fc-4bf1-a860-ef6e46311900 which can be used as unique global reference for DnsSystem - S1021 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1021 - webarchive
• https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor - webarchive

Associated metadata

Metadata key	Value
external_id	S1021
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

PowerLess - S1012

PowerLess is a PowerShell-based modular backdoor that has been used by Magic Hound since at least 2022.(Citation: Cybereason PowerLess February 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PowerLess - S1012.

Known Synonyms
PowerLess

Internal MISP references

UUID 35ee9bf3-264b-4411-8a8f-b58cec8f35e4 which can be used as unique global reference for PowerLess - S1012 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1012 - webarchive
• https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage - webarchive

Associated metadata

Metadata key	Value
external_id	S1012
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Linfo - S0211

Linfo is a rootkit trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Linfo May 2012)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Linfo - S0211.

Known Synonyms
Linfo

Internal MISP references

UUID e9e9bfe2-76f4-4870-a2a1-b7af89808613 which can be used as unique global reference for Linfo - S0211 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0211 - webarchive
• https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf - webarchive
• https://www.symantec.com/security_response/writeup.jsp?docid=2012-051605-2535-99 - webarchive

Associated metadata

Metadata key	Value
external_id	S0211
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Pcexter - S1102

Pcexter is an uploader that has been used by ToddyCat since at least 2023 to exfiltrate stolen files.(Citation: Kaspersky ToddyCat Check Logs October 2023)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pcexter - S1102.

Known Synonyms
Pcexter

Internal MISP references

UUID e4feffc2-53d1-45c9-904e-adb9faca0d15 which can be used as unique global reference for Pcexter - S1102 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1102 - webarchive
• https://securelist.com/toddycat-keep-calm-and-check-logs/110696/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1102
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

PS1 - S0613

PS1 is a loader that was used to deploy 64-bit backdoors in the CostaRicto campaign.(Citation: BlackBerry CostaRicto November 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PS1 - S0613.

Known Synonyms
PS1

Internal MISP references

UUID 13183cdf-280b-46be-913a-5c6df47831e7 which can be used as unique global reference for PS1 - S0613 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0613 - webarchive
• https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced - webarchive

Associated metadata

Metadata key	Value
external_id	S0613
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

FlixOnline - S1103

FlixOnline is an Android malware, first detected in early 2021, believed to target users of WhatsApp. FlixOnline primarily spreads via automatic replies to a device’s incoming WhatsApp messages.(Citation: checkpoint_flixonline_0421)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FlixOnline - S1103.

Known Synonyms
FlixOnline

Internal MISP references

UUID 0ec9593f-3221-49b1-b597-37f307c19f13 which can be used as unique global reference for FlixOnline - S1103 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1103 - webarchive
• https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1103
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

TINYTYPHON - S0131

TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. (Citation: Forcepoint Monsoon)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TINYTYPHON - S0131.

Known Synonyms
TINYTYPHON

Internal MISP references

UUID 85b39628-204a-48d2-b377-ec368cbcb7ca which can be used as unique global reference for TINYTYPHON - S0131 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0131 - webarchive
• https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0131

Related clusters

To see the related clusters, click here.

PingPull - S1031

PingPull is a remote access Trojan (RAT) written in Visual C++ that has been used by GALLIUM since at least June 2022. PingPull has been used to target telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.(Citation: Unit 42 PingPull Jun 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PingPull - S1031.

Known Synonyms
PingPull

Internal MISP references

UUID 3a0f6128-0a01-421d-8eca-e57d8671b1f1 which can be used as unique global reference for PingPull - S1031 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1031 - webarchive
• https://unit42.paloaltonetworks.com/pingpull-gallium/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1031
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Prikormka - S0113

Prikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008. (Citation: ESET Operation Groundbait)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Prikormka - S0113.

Known Synonyms
Prikormka

Internal MISP references

UUID 37cc7eb6-12e3-467b-82e8-f20f2cc73c69 which can be used as unique global reference for Prikormka - S0113 in MISP communities and other software using the MISP galaxy

External references

• http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf - webarchive
• https://attack.mitre.org/software/S0113 - webarchive

Associated metadata

Metadata key	Value
external_id	S0113
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

YiSpecter - S0311

YiSpecter is a family of iOS and Android malware, first detected in November 2014, targeting users in mainland China and Taiwan. YiSpecter abuses private APIs in iOS to infect both jailbroken and non-jailbroken devices.(Citation: paloalto_yispecter_1015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular YiSpecter - S0311.

Known Synonyms
YiSpecter

Internal MISP references

UUID a15c9357-2be0-4836-beec-594f28b9b4a9 which can be used as unique global reference for YiSpecter - S0311 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0311 - webarchive
• https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0311
mitre_platforms	['Android', 'iOS']

Related clusters

To see the related clusters, click here.

ZxxZ - S1013

ZxxZ is a trojan written in Visual C++ that has been used by BITTER since at least August 2021, including against Bangladeshi government personnel.(Citation: Cisco Talos Bitter Bangladesh May 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ZxxZ - S1013.

Known Synonyms
ZxxZ

Internal MISP references

UUID 97cfbdc6-504d-41e9-a46c-78a9f806ff0d which can be used as unique global reference for ZxxZ - S1013 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1013 - webarchive
• https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html - webarchive

Associated metadata

Metadata key	Value
external_id	S1013
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BOOTRASH - S0114

BOOTRASH is a Bootkit that targets Windows operating systems. It has been used by threat actors that target the financial sector.(Citation: Mandiant M Trends 2016)(Citation: FireEye Bootkits)(Citation: FireEye BOOTRASH SANS)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BOOTRASH - S0114.

Known Synonyms
BOOTRASH

Internal MISP references

UUID da2ef4a9-7cbe-400a-a379-e2f230f28db3 which can be used as unique global reference for BOOTRASH - S0114 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0114 - webarchive
• https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html - webarchive
• https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf - webarchive
• https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498163766.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0114
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

DanBot - S1014

DanBot is a first-stage remote access Trojan written in C# that has been used by HEXANE since at least 2018.(Citation: SecureWorks August 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DanBot - S1014.

Known Synonyms
DanBot

Internal MISP references

UUID b8d48deb-450c-44f6-a934-ac8765aa89cb which can be used as unique global reference for DanBot - S1014 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1014 - webarchive
• https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign - webarchive

Associated metadata

Metadata key	Value
external_id	S1014
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Chinoxy - S1041

Chinoxy is a backdoor that has been used since at least November 2018, during the FunnyDream campaign, to gain persistence and drop additional payloads. According to security researchers, Chinoxy has been used by Chinese-speaking threat actors.(Citation: Bitdefender FunnyDream Campaign November 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Chinoxy - S1041.

Known Synonyms
Chinoxy

Internal MISP references

UUID 0b639373-5f03-430e-b8f9-2fe8c8faad8e which can be used as unique global reference for Chinoxy - S1041 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1041 - webarchive
• https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S1041
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SLOWPULSE - S1104

SLOWPULSE is a malware that was used by APT5 as early as 2020 including against U.S. Defense Industrial Base (DIB) companies. SLOWPULSE has several variants and can modify legitimate Pulse Secure VPN files in order to log credentials and bypass single and two-factor authentication flows.(Citation: Mandiant Pulse Secure Zero-Day April 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SLOWPULSE - S1104.

Known Synonyms
SLOWPULSE

Internal MISP references

UUID f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4 which can be used as unique global reference for SLOWPULSE - S1104 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1104 - webarchive
• https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day - webarchive

Associated metadata

Metadata key	Value
external_id	S1104
mitre_platforms	['Network']

Related clusters

To see the related clusters, click here.

Rotexy - S0411

Rotexy is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.(Citation: securelist rotexy 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rotexy - S0411.

Known Synonyms
Rotexy

Internal MISP references

UUID 0626c181-93cb-4860-9cb0-dff3b1c13063 which can be used as unique global reference for Rotexy - S0411 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0411 - webarchive
• https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0411
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

HALFBAKED - S0151

HALFBAKED is a malware family consisting of multiple components intended to establish persistence in victim networks. (Citation: FireEye FIN7 April 2017)

Internal MISP references

UUID 0ced8926-914e-4c78-bc93-356fb90dbd1f which can be used as unique global reference for HALFBAKED - S0151 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0151 - webarchive
• https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0151

Related clusters

To see the related clusters, click here.

COATHANGER - S1105

COATHANGER is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intrusions against military and government entities in the Netherlands along with other victims, COATHANGER was disclosed in early 2024, with a high confidence assessment linking this malware to a state-sponsored entity in the People's Republic of China. COATHANGER is delivered after gaining access to a FortiGate device, with in-the-wild observations linked to exploitation of CVE-2022-42475. The name COATHANGER is based on a unique string in the malware used to encrypt configuration files on disk: “She took his coat and hung it up”.(Citation: NCSC-NL COATHANGER Feb 2024)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular COATHANGER - S1105.

Known Synonyms
COATHANGER

Internal MISP references

UUID 0c242cc5-58d3-4fe3-a866-b00a4b6fb817 which can be used as unique global reference for COATHANGER - S1105 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1105 - webarchive
• https://www.ncsc.nl/binaries/ncsc/documenten/publicaties/2024/februari/6/mivd-aivd-advisory-coathanger-tlp-clear/TLP-CLEAR+MIVD+AIVD+Advisory+COATHANGER.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S1105
mitre_platforms	['Linux', 'Network']

Related clusters

To see the related clusters, click here.

Crimson - S0115

Crimson is a remote access Trojan that has been used by Transparent Tribe since at least 2016.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Crimson - S0115.

Known Synonyms
Crimson
MSIL/Crimson

Internal MISP references

UUID 326af1cd-78e7-45b7-a326-125d2f7ef8f2 which can be used as unique global reference for Crimson - S0115 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0115 - webarchive
• https://securelist.com/transparent-tribe-part-1/98127/ - webarchive
• https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0115
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

RegDuke - S0511

RegDuke is a first stage implant written in .NET and used by APT29 since at least 2017. RegDuke has been used to control a compromised machine when control of other implants on the machine was lost.(Citation: ESET Dukes October 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RegDuke - S0511.

Known Synonyms
RegDuke

Internal MISP references

UUID 47124daf-44be-4530-9c63-038bc64318dd which can be used as unique global reference for RegDuke - S0511 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0511 - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0511
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

KEYPLUG - S1051

KEYPLUG is a modular backdoor written in C++, with Windows and Linux variants, that has been used by APT41 since at least June 2021.(Citation: Mandiant APT41)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KEYPLUG - S1051.

Known Synonyms
KEYPLUG
KEYPLUG.LINUX

Internal MISP references

UUID 6c575670-d14c-4c7f-9b9d-fd1b363e255d which can be used as unique global reference for KEYPLUG - S1051 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1051 - webarchive
• https://www.mandiant.com/resources/apt41-us-state-governments - webarchive

Associated metadata

Metadata key	Value
external_id	S1051
mitre_platforms	['Linux', 'Windows']

Related clusters

To see the related clusters, click here.

Milan - S1015

Milan is a backdoor implant based on DanBot that was written in Visual C++ and .NET. Milan has been used by HEXANE since at least June 2020.(Citation: ClearSky Siamesekitten August 2021)(Citation: Kaspersky Lyceum October 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Milan - S1015.

Known Synonyms
James
Milan

Internal MISP references

UUID aea6d6b8-d832-4c90-a1bb-f52c6684db6c which can be used as unique global reference for Milan - S1015 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1015 - webarchive
• https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf - webarchive
• https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns - webarchive
• https://www.clearskysec.com/siamesekitten/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1015
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

AbstractEmu - S1061

AbstractEmu is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. AbstractEmu was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.(Citation: lookout_abstractemu_1021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AbstractEmu - S1061.

Known Synonyms
AbstractEmu

Internal MISP references

UUID 2aec175b-4429-4048-8e09-3ef6cbecfc64 which can be used as unique global reference for AbstractEmu - S1061 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1061 - webarchive
• https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign - webarchive

Associated metadata

Metadata key	Value
external_id	S1061
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

XAgentOSX - S0161

XAgentOSX is a trojan that has been used by APT28 on OS X and appears to be a port of their standard CHOPSTICK or XAgent trojan. (Citation: XAgentOSX 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XAgentOSX - S0161.

Known Synonyms
OSX.Sofacy
XAgentOSX

Internal MISP references

UUID 59a97b15-8189-4d51-9404-e1ce8ea4a069 which can be used as unique global reference for XAgentOSX - S0161 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0161 - webarchive
• https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/ - webarchive
• https://www.symantec.com/blogs/election-security/apt28-espionage-military-government - webarchive

Associated metadata

Metadata key	Value
external_id	S0161
mitre_platforms	['macOS']

Related clusters

To see the related clusters, click here.

Clop - S0611

Clop is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. Clop is a variant of the CryptoMix ransomware.(Citation: Mcafee Clop Aug 2019)(Citation: Cybereason Clop Dec 2020)(Citation: Unit42 Clop April 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Clop - S0611.

Known Synonyms
Clop

Internal MISP references

UUID cad3ba95-8c89-4146-ab10-08daa813f9de which can be used as unique global reference for Clop - S0611 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0611 - webarchive
• https://unit42.paloaltonetworks.com/clop-ransomware/ - webarchive
• https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware - webarchive
• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0611
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

NGLite - S1106

NGLite is a backdoor Trojan that is only capable of running commands received through its C2 channel. While the capabilities are standard for a backdoor, NGLite uses a novel C2 channel that leverages a decentralized network based on the legitimate NKN to communicate between the backdoor and the actors.(Citation: NGLite Trojan)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NGLite - S1106.

Known Synonyms
NGLite

Internal MISP references

UUID 72b5f07f-5448-4e00-9ff2-08bc193a7b77 which can be used as unique global reference for NGLite - S1106 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1106 - webarchive
• https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1106
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

MacMa - S1016

MacMa is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. MacMa has been observed in the wild since November 2021.(Citation: ESET DazzleSpy Jan 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MacMa - S1016.

Known Synonyms
DazzleSpy
MacMa
OSX.CDDS

Internal MISP references

UUID bdee9574-7479-4073-a7dc-e86d8acd073a which can be used as unique global reference for MacMa - S1016 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1016 - webarchive
• https://objective-see.org/blog/blog_0x69.html - webarchive
• https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1016
mitre_platforms	['macOS']

Related clusters

To see the related clusters, click here.

NKAbuse - S1107

NKAbuse is a Go-based, multi-platform malware abusing NKN (New Kind of Network) technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities.(Citation: NKAbuse BC)(Citation: NKAbuse SL)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NKAbuse - S1107.

Known Synonyms
NKAbuse

Internal MISP references

UUID bd2ebee8-7c38-408a-871d-221012104222 which can be used as unique global reference for NKAbuse - S1107 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1107 - webarchive
• https://securelist.com/unveiling-nkabuse/111512/ - webarchive
• https://www.bleepingcomputer.com/news/security/new-nkabuse-malware-abuses-nkn-blockchain-for-stealthy-comms/#google_vignette - webarchive

Associated metadata

Metadata key	Value
external_id	S1107
mitre_platforms	['Linux', 'macOS', 'Windows']

Related clusters

To see the related clusters, click here.

Felismus - S0171

Felismus is a modular backdoor that has been used by Sowbug. (Citation: Symantec Sowbug Nov 2017) (Citation: Forcepoint Felismus Mar 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Felismus - S0171.

Known Synonyms
Felismus

Internal MISP references

UUID 196f1f32-e0c2-4d46-99cd-234d4b6befe1 which can be used as unique global reference for Felismus - S0171 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0171 - webarchive
• https://blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware - webarchive
• https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments - webarchive

Associated metadata

Metadata key	Value
external_id	S0171
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

OutSteel - S1017

OutSteel is a file uploader and document stealer developed with the scripting language AutoIT that has been used by Ember Bear since at least March 2021.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Internal MISP references

UUID c113230f-f044-423b-af63-9b63c802f5ae which can be used as unique global reference for OutSteel - S1017 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1017 - webarchive
• https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1017
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

XTunnel - S0117

XTunnel a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by APT28 during the compromise of the Democratic National Committee. (Citation: Crowdstrike DNC June 2016) (Citation: Invincea XTunnel) (Citation: ESET Sednit Part 2)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XTunnel - S0117.

Known Synonyms
Trojan.Shunnael
X-Tunnel
XAPS
XTunnel

Internal MISP references

UUID 7343e208-7cab-45f2-a47b-41ba5e2f0fab which can be used as unique global reference for XTunnel - S0117 in MISP communities and other software using the MISP galaxy

External references

• http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf - webarchive
• https://attack.mitre.org/software/S0117 - webarchive
• https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ - webarchive
• https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/ - webarchive
• https://www.symantec.com/blogs/election-security/apt28-espionage-military-government - webarchive

Associated metadata

Metadata key	Value
external_id	S0117
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BADHATCH - S1081

BADHATCH is a backdoor that has been utilized by FIN8 since at least 2019. BADHATCH has been used to target the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Panama, and Italy.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BADHATCH - S1081.

Known Synonyms
BADHATCH

Internal MISP references

UUID 3553b49d-d4ae-4fb6-ab17-0adbc520c888 which can be used as unique global reference for BADHATCH - S1081 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1081 - webarchive
• https://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/ - webarchive
• https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S1081
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

FALLCHILL - S0181

FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website. (Citation: US-CERT FALLCHILL Nov 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FALLCHILL - S0181.

Known Synonyms
FALLCHILL

Internal MISP references

UUID fece06b7-d4b1-42cf-b81a-5323c917546e which can be used as unique global reference for FALLCHILL - S0181 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0181 - webarchive
• https://www.us-cert.gov/ncas/alerts/TA17-318A - webarchive

Associated metadata

Metadata key	Value
external_id	S0181
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

PULSECHECK - S1108

PULSECHECK is a web shell written in Perl that was used by APT5 as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) companies.(Citation: Mandiant Pulse Secure Zero-Day April 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PULSECHECK - S1108.

Known Synonyms
PULSECHECK

Internal MISP references

UUID 9a097d18-d15f-4635-a4f1-189df7efdc40 which can be used as unique global reference for PULSECHECK - S1108 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1108 - webarchive
• https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day - webarchive

Associated metadata

Metadata key	Value
external_id	S1108
mitre_platforms	['Network', 'Linux']

Related clusters

To see the related clusters, click here.

Nidiran - S0118

Nidiran is a custom backdoor developed and used by Suckfly. It has been delivered via strategic web compromise. (Citation: Symantec Suckfly March 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nidiran - S0118.

Known Synonyms
Backdoor.Nidiran
Nidiran

Internal MISP references

UUID 9e9b9415-a7df-406b-b14d-92bfe6809fbe which can be used as unique global reference for Nidiran - S0118 in MISP communities and other software using the MISP galaxy

External references

• http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates - webarchive
• https://attack.mitre.org/software/S0118 - webarchive

Associated metadata

Metadata key	Value
external_id	S0118
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

PACEMAKER - S1109

PACEMAKER is a credential stealer that was used by APT5 as early as 2020 including activity against US Defense Industrial Base (DIB) companies.(Citation: Mandiant Pulse Secure Zero-Day April 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PACEMAKER - S1109.

Known Synonyms
PACEMAKER

Internal MISP references

UUID 647215dd-29a6-4528-b354-ca8b5e08fca1 which can be used as unique global reference for PACEMAKER - S1109 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1109 - webarchive
• https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day - webarchive

Associated metadata

Metadata key	Value
external_id	S1109
mitre_platforms	['Network', 'Linux']

Related clusters

To see the related clusters, click here.

Shark - S1019

Shark is a backdoor malware written in C# and .NET that is an updated version of Milan; it has been used by HEXANE since at least July 2021.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Shark - S1019.

Known Synonyms
Shark

Internal MISP references

UUID 99854cc8-f202-4e03-aa0a-4f8a4af93229 which can be used as unique global reference for Shark - S1019 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1019 - webarchive
• https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns - webarchive
• https://www.clearskysec.com/siamesekitten/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1019
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Concipit1248 - S0426

Concipit1248 is iOS spyware that was discovered using the same name as the developer of the Android spyware Corona Updates. Further investigation revealed that the two pieces of software contained the same C2 URL and similar functionality.(Citation: TrendMicro Coronavirus Updates)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Concipit1248 - S0426.

Known Synonyms
Concipit1248
Corona Updates

Internal MISP references

UUID 89c3dbf6-f281-41b7-be1d-a0e641014853 which can be used as unique global reference for Concipit1248 - S0426 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0426 - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0426
mitre_platforms	['iOS']

Related clusters

To see the related clusters, click here.

Industroyer2 - S1072

Industroyer2 is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in Industroyer. Security researchers assess that Industroyer2 was designed to cause impact to high-voltage electrical substations. The initial Industroyer2 sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.(Citation: Industroyer2 Blackhat ESET)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Industroyer2 - S1072.

Known Synonyms
Industroyer2

Internal MISP references

UUID 6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5 which can be used as unique global reference for Industroyer2 - S1072 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1072 - webarchive
• https://www.youtube.com/watch?v=xC9iM5wVedQ - webarchive

Associated metadata

Metadata key	Value
external_id	S1072
mitre_platforms	['Field Controller/RTU/PLC/IED', 'Engineering Workstation']

Related clusters

To see the related clusters, click here.

CORALDECK - S0212

CORALDECK is an exfiltration tool used by APT37. (Citation: FireEye APT37 Feb 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CORALDECK - S0212.

Known Synonyms
CORALDECK

Internal MISP references

UUID 8ab98e25-1672-4b5f-a2fb-e60f08a5ea9e which can be used as unique global reference for CORALDECK - S0212 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0212 - webarchive
• https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0212
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

IceApple - S1022

IceApple is a modular Internet Information Services (IIS) post-exploitation framework, that has been used since at least 2021 against the technology, academic, and government sectors.(Citation: CrowdStrike IceApple May 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular IceApple - S1022.

Known Synonyms
IceApple

Internal MISP references

UUID dd889a55-fb2c-4ec7-8e9f-c399939a49e1 which can be used as unique global reference for IceApple - S1022 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1022 - webarchive
• https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S1022
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Umbreon - S0221

A Linux rootkit that provides backdoor access and hides from defenders.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Umbreon - S0221.

Known Synonyms
Umbreon

Internal MISP references

UUID 3d8e547d-9456-4f32-a895-dc86134e282f which can be used as unique global reference for Umbreon - S0221 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0221 - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/?_ga=2.180041126.367598458.1505420282-1759340220.1502477046 - webarchive

Associated metadata

Metadata key	Value
external_id	S0221
mitre_platforms	['Linux']

Related clusters

To see the related clusters, click here.

ccf32 - S1043

ccf32 is data collection malware that has been used since at least February 2019, most notably during the FunnyDream campaign; there is also a similar x64 version.(Citation: Bitdefender FunnyDream Campaign November 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ccf32 - S1043.

Known Synonyms
ccf32

Internal MISP references

UUID a394448a-4576-41b8-81cc-9b61abad94ab which can be used as unique global reference for ccf32 - S1043 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1043 - webarchive
• https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S1043
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

DOGCALL - S0213

DOGCALL is a backdoor used by APT37 that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. (Citation: FireEye APT37 Feb 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DOGCALL - S0213.

Known Synonyms
DOGCALL

Internal MISP references

UUID 0852567d-7958-4f4b-8947-4f840ec8d57d which can be used as unique global reference for DOGCALL - S0213 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0213 - webarchive
• https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0213
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

PyDCrypt - S1032

PyDCrypt is malware written in Python designed to deliver DCSrv. It has been used by Moses Staff since at least September 2021, with each sample tailored for its intended victim organization.(Citation: Checkpoint MosesStaff Nov 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PyDCrypt - S1032.

Known Synonyms
PyDCrypt

Internal MISP references

UUID 2ac41e8b-4865-4ced-839d-78e7852c47f3 which can be used as unique global reference for PyDCrypt - S1032 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1032 - webarchive
• https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1032
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

CreepyDrive - S1023

CreepyDrive is a custom implant has been used by POLONIUM since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.(Citation: Microsoft POLONIUM June 2022)

POLONIUM has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.(Citation: Microsoft POLONIUM June 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CreepyDrive - S1023.

Known Synonyms
CreepyDrive

Internal MISP references

UUID 750eb92a-7fdf-451e-9592-1d42357018f1 which can be used as unique global reference for CreepyDrive - S1023 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1023 - webarchive
• https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1023
mitre_platforms	['Windows', 'Office 365']

Related clusters

To see the related clusters, click here.

HummingWhale - S0321

HummingWhale is an Android malware family that performs ad fraud. (Citation: ArsTechnica-HummingWhale)

Internal MISP references

UUID 6447e3a1-ef4d-44b1-99d5-6b1c4888674f which can be used as unique global reference for HummingWhale - S0321 in MISP communities and other software using the MISP galaxy

External references

• http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/ - webarchive
• https://attack.mitre.org/software/S0321 - webarchive

Associated metadata

Metadata key	Value
external_id	S0321

Related clusters

To see the related clusters, click here.

WireLurker - S0312

WireLurker is a family of macOS malware that targets iOS devices connected over USB. (Citation: PaloAlto-WireLurker)

Internal MISP references

UUID 326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb which can be used as unique global reference for WireLurker - S0312 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0312 - webarchive
• https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/ - webarchive
• https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0312

Related clusters

To see the related clusters, click here.

RATANKBA - S0241

RATANKBA is a remote controller tool used by Lazarus Group. RATANKBA has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. RATANKBA has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. (Citation: Lazarus RATANKBA) (Citation: RATANKBA)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RATANKBA - S0241.

Known Synonyms
RATANKBA

Internal MISP references

UUID 9b325b06-35a1-457d-be46-a4ecc0b7ff0c which can be used as unique global reference for RATANKBA - S0241 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0241 - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/ - webarchive
• https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0241
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SUGARDUMP - S1042

SUGARDUMP is a proprietary browser credential harvesting tool that was used by UNC3890 during the C0010 campaign. The first known SUGARDUMP version was used since at least early 2021, a second SMTP C2 version was used from late 2021-early 2022, and a third HTTP C2 variant was used since at least April 2022.(Citation: Mandiant UNC3890 Aug 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SUGARDUMP - S1042.

Known Synonyms
SUGARDUMP

Internal MISP references

UUID 9c10cede-c0bb-4c5c-91c0-8baec30abaf6 which can be used as unique global reference for SUGARDUMP - S1042 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1042 - webarchive
• https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping - webarchive

Associated metadata

Metadata key	Value
external_id	S1042
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

HAPPYWORK - S0214

HAPPYWORK is a downloader used by APT37 to target South Korean government and financial victims in November 2016. (Citation: FireEye APT37 Feb 2018)

Internal MISP references

UUID 211cfe9f-2676-4e1c-a5f5-2c8091da2a68 which can be used as unique global reference for HAPPYWORK - S0214 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0214 - webarchive
• https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0214

Related clusters

To see the related clusters, click here.

CreepySnail - S1024

CreepySnail is a custom PowerShell implant that has been used by POLONIUM since at least 2022.(Citation: Microsoft POLONIUM June 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CreepySnail - S1024.

Known Synonyms
CreepySnail

Internal MISP references

UUID d23de441-f9cf-4802-b1ff-f588a11a896b which can be used as unique global reference for CreepySnail - S1024 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1024 - webarchive
• https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1024
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

StreamEx - S0142

StreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. (Citation: Cylance Shell Crew Feb 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular StreamEx - S0142.

Known Synonyms
StreamEx

Internal MISP references

UUID 91000a8a-58cc-4aba-9ad0-993ad6302b86 which can be used as unique global reference for StreamEx - S0142 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0142 - webarchive
• https://www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar - webarchive

Associated metadata

Metadata key	Value
external_id	S0142
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

GolfSpy - S0421

GolfSpy is Android spyware deployed by the group Bouncing Golf.(Citation: Trend Micro Bouncing Golf 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GolfSpy - S0421.

Known Synonyms
GolfSpy

Internal MISP references

UUID c19cfc89-5ac6-4d2d-a236-70d2b32e007c which can be used as unique global reference for GolfSpy - S0421 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0421 - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0421
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Pisloader - S0124

Pisloader is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by APT18 and is similar to another malware family, HTTPBrowser, that has been used by the group. (Citation: Palo Alto DNS Requests)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pisloader - S0124.

Known Synonyms
Pisloader

Internal MISP references

UUID b96680d1-5eb3-4f07-b95c-00ab904ac236 which can be used as unique global reference for Pisloader - S0124 in MISP communities and other software using the MISP galaxy

External references

• http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/ - webarchive
• https://attack.mitre.org/software/S0124 - webarchive

Associated metadata

Metadata key	Value
external_id	S0124
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

ZxShell - S0412

ZxShell is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ZxShell - S0412.

Known Synonyms
Sensocode
ZxShell

Internal MISP references

UUID cfc75b0d-e579-40ae-ad07-a1ce00d49a6c which can be used as unique global reference for ZxShell - S0412 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0412 - webarchive
• https://blogs.cisco.com/security/talos/opening-zxshell - webarchive
• https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0412
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

KARAE - S0215

KARAE is a backdoor typically used by APT37 as first-stage malware. (Citation: FireEye APT37 Feb 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KARAE - S0215.

Known Synonyms
KARAE

Internal MISP references

UUID 3c02fb1f-cbdb-48f5-abaf-8c81d6e0c322 which can be used as unique global reference for KARAE - S0215 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0215 - webarchive
• https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0215
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

DEADEYE - S1052

DEADEYE is a malware launcher that has been used by APT41 since at least May 2021. DEADEYE has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).(Citation: Mandiant APT41)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DEADEYE - S1052.

Known Synonyms
DEADEYE
DEADEYE.APPEND
DEADEYE.EMBED

Internal MISP references

UUID c46eb8e6-bf29-4696-8008-3ddb0b4ca470 which can be used as unique global reference for DEADEYE - S1052 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1052 - webarchive
• https://www.mandiant.com/resources/apt41-us-state-governments - webarchive

Associated metadata

Metadata key	Value
external_id	S1052
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Amadey - S1025

Amadey is a Trojan bot that has been used since at least October 2018.(Citation: Korean FSI TA505 2020)(Citation: BlackBerry Amadey 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Amadey - S1025.

Known Synonyms
Amadey

Internal MISP references

UUID 05318127-5962-444b-b900-a9dcfe0ff6e9 which can be used as unique global reference for Amadey - S1025 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1025 - webarchive
• https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot - webarchive
• https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory= - webarchive

Associated metadata

Metadata key	Value
external_id	S1025
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

FatDuke - S0512

FatDuke is a backdoor used by APT29 since at least 2016.(Citation: ESET Dukes October 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FatDuke - S0512.

Known Synonyms
FatDuke

Internal MISP references

UUID 54a01db0-9fab-4d5f-8209-53cef8425f4a which can be used as unique global reference for FatDuke - S0512 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0512 - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0512
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

EvilGrab - S0152

EvilGrab is a malware family with common reconnaissance capabilities. It has been deployed by menuPass via malicious Microsoft Office documents as part of spearphishing campaigns. (Citation: PWC Cloud Hopper Technical Annex April 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EvilGrab - S0152.

Known Synonyms
EvilGrab

Internal MISP references

UUID 2f1a9fd0-3b7c-4d77-a358-78db13adbe78 which can be used as unique global reference for EvilGrab - S0152 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0152 - webarchive
• https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0152
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Remsec - S0125

Remsec is a modular backdoor that has been used by Strider and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua. (Citation: Symantec Strider Blog)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Remsec - S0125.

Known Synonyms
Backdoor.Remsec
ProjectSauron
Remsec

Internal MISP references

UUID 69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8 which can be used as unique global reference for Remsec - S0125 in MISP communities and other software using the MISP galaxy

External references

• http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets - webarchive
• https://attack.mitre.org/software/S0125 - webarchive
• https://securelist.com/faq-the-projectsauron-apt/75533/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0125
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Zebrocy - S0251

Zebrocy is a Trojan that has been used by APT28 since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, VB.NET, and Golang. (Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: CISA Zebrocy Oct 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zebrocy - S0251.

Known Synonyms
Zebrocy
Zekapab

Internal MISP references

UUID a4f57468-fbd5-49e4-8476-52088220b92d which can be used as unique global reference for Zebrocy - S0251 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0251 - webarchive
• https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ - webarchive
• https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/ - webarchive
• https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/ - webarchive
• https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b - webarchive
• https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50 - webarchive
• https://www.cyberscoop.com/apt28-brexit-phishing-accenture/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0251
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

ComRAT - S0126

ComRAT is a second stage implant suspected of being a descendant of Agent.btz and used by Turla. The first version of ComRAT was identified in 2007, but the tool has undergone substantial development for many years since.(Citation: Symantec Waterbug)(Citation: NorthSec 2015 GData Uroburos Tools)(Citation: ESET ComRAT May 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ComRAT - S0126.

Known Synonyms
ComRAT

Internal MISP references

UUID da5880b4-f7da-4869-85f2-e0aba84b8565 which can be used as unique global reference for ComRAT - S0126 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0126 - webarchive
• https://docplayer.net/101655589-Tools-used-by-the-uroburos-actors.html - webarchive
• https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1 - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0126
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

POORAIM - S0216

POORAIM is a backdoor used by APT37 in campaigns since at least 2014. (Citation: FireEye APT37 Feb 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular POORAIM - S0216.

Known Synonyms
POORAIM

Internal MISP references

UUID 53d47b09-09c2-4015-8d37-6633ecd53f79 which can be used as unique global reference for POORAIM - S0216 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0216 - webarchive
• https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0216
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Catchamas - S0261

Catchamas is a Windows Trojan that steals information from compromised systems. (Citation: Symantec Catchamas April 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Catchamas - S0261.

Known Synonyms
Catchamas

Internal MISP references

UUID 8d9e758b-735f-4cbc-ba7c-32cd15138b2a which can be used as unique global reference for Catchamas - S0261 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0261 - webarchive
• https://www-west.symantec.com/content/symantec/english/en/security-center/writeup.html/2018-040209-1742-99 - webarchive

Associated metadata

Metadata key	Value
external_id	S0261
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Komplex - S0162

Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to XAgentOSX (Citation: XAgentOSX 2017) (Citation: Sofacy Komplex Trojan).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Komplex - S0162.

Known Synonyms
Komplex

Internal MISP references

UUID f108215f-3487-489d-be8b-80e346d32518 which can be used as unique global reference for Komplex - S0162 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0162 - webarchive
• https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/ - webarchive
• https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0162
mitre_platforms	['macOS']

Related clusters

To see the related clusters, click here.

WastedLocker - S0612

WastedLocker is a ransomware family attributed to Indrik Spider that has been used since at least May 2020. WastedLocker has been used against a broad variety of sectors, including manufacturing, information technology, and media.(Citation: Symantec WastedLocker June 2020)(Citation: NCC Group WastedLocker June 2020)(Citation: Sentinel Labs WastedLocker July 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WastedLocker - S0612.

Known Synonyms
WastedLocker

Internal MISP references

UUID 46cbafbc-8907-42d3-9002-5327c26f8927 which can be used as unique global reference for WastedLocker - S0612 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0612 - webarchive
• https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ - webarchive
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us - webarchive
• https://www.sentinelone.com/labs/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0612
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Mongall - S1026

Mongall is a backdoor that has been used since at least 2013, including by Aoqin Dragon.(Citation: SentinelOne Aoqin Dragon June 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mongall - S1026.

Known Synonyms
Mongall

Internal MISP references

UUID 6fb36c6f-bb3d-4ed6-9471-cb9933e5c154 which can be used as unique global reference for Mongall - S1026 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1026 - webarchive
• https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1026
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BBSRAT - S0127

BBSRAT is malware with remote access tool functionality that has been used in targeted compromises. (Citation: Palo Alto Networks BBSRAT)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BBSRAT - S0127.

Known Synonyms
BBSRAT

Internal MISP references

UUID 64d76fa5-cf8f-469c-b78c-1a4f7c5bad80 which can be used as unique global reference for BBSRAT - S0127 in MISP communities and other software using the MISP galaxy

External references

• http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/ - webarchive
• https://attack.mitre.org/software/S0127 - webarchive

Associated metadata

Metadata key	Value
external_id	S0127
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

KEYMARBLE - S0271

KEYMARBLE is a Trojan that has reportedly been used by the North Korean government. (Citation: US-CERT KEYMARBLE Aug 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KEYMARBLE - S0271.

Known Synonyms
KEYMARBLE

Internal MISP references

UUID 11e36d5b-6a92-4bf9-8eb7-85eb24f59e22 which can be used as unique global reference for KEYMARBLE - S0271 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0271 - webarchive
• https://www.us-cert.gov/ncas/analysis-reports/AR18-221A - webarchive

Associated metadata

Metadata key	Value
external_id	S0271
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SHUTTERSPEED - S0217

SHUTTERSPEED is a backdoor used by APT37. (Citation: FireEye APT37 Feb 2018)

Internal MISP references

UUID 4189a679-72ed-4a89-a57c-7f689712ecf8 which can be used as unique global reference for SHUTTERSPEED - S0217 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0217 - webarchive
• https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0217

Related clusters

To see the related clusters, click here.

Reaver - S0172

Reaver is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the "Five Poisons," which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of Control Panel items.(Citation: Palo Alto Reaver Nov 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Reaver - S0172.

Known Synonyms
Reaver

Internal MISP references

UUID 65341f30-bec6-4b1d-8abf-1a5620446c29 which can be used as unique global reference for Reaver - S0172 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0172 - webarchive
• https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0172
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BADNEWS - S0128

BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. (Citation: Forcepoint Monsoon) (Citation: TrendMicro Patchwork Dec 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BADNEWS - S0128.

Known Synonyms
BADNEWS

Internal MISP references

UUID e9595678-d269-469e-ae6b-75e49259de63 which can be used as unique global reference for BADNEWS - S0128 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0128 - webarchive
• https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf - webarchive
• https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0128
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SLOWDRIFT - S0218

SLOWDRIFT is a backdoor used by APT37 against academic and strategic victims in South Korea. (Citation: FireEye APT37 Feb 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SLOWDRIFT - S0218.

Known Synonyms
SLOWDRIFT

Internal MISP references

UUID 414dc555-c79e-4b24-a2da-9b607f7eaf16 which can be used as unique global reference for SLOWDRIFT - S0218 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0218 - webarchive
• https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0218
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Dok - S0281

Dok is a Trojan application disguised as a .zip file that is able to collect user credentials and install a malicious proxy server to redirect a user's network traffic (i.e. Adversary-in-the-Middle).(Citation: objsee mac malware 2017)(Citation: hexed osx.dok analysis 2019)(Citation: CheckPoint Dok)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dok - S0281.

Known Synonyms
Dok
Retefe

Internal MISP references

UUID f36b2598-515f-4345-84e5-5ccde253edbe which can be used as unique global reference for Dok - S0281 in MISP communities and other software using the MISP galaxy

External references

• http://www.hexed.in/2019/07/osxdok-analysis.html - webarchive
• https://attack.mitre.org/software/S0281 - webarchive
• https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/ - webarchive
• https://objective-see.com/blog/blog_0x25.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0281
mitre_platforms	['macOS']

Related clusters

To see the related clusters, click here.

FinFisher - S0182

FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. (Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017) (Citation: Microsoft FinFisher March 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FinFisher - S0182.

Known Synonyms
FinFisher
FinSpy

Internal MISP references

UUID a5528622-3a8a-4633-86ce-8cdaf8423858 which can be used as unique global reference for FinFisher - S0182 in MISP communities and other software using the MISP galaxy

External references

• http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf - webarchive
• http://www.finfisher.com/FinFisher/index.html - webarchive
• https://attack.mitre.org/software/S0182 - webarchive
• https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/ - webarchive
• https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/ - webarchive
• https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0182
mitre_platforms	['Windows', 'Android']

Related clusters

To see the related clusters, click here.

Sunbird - S1082

Sunbird is one of two mobile malware families known to be used by the APT Confucius. Analysis suggests that Sunbird was first active in early 2017. While Sunbird and Hornbill overlap in core capabilities, Sunbird has a more extensive set of malicious features.(Citation: lookout_hornbill_sunbird_0221)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sunbird - S1082.

Known Synonyms
Sunbird

Internal MISP references

UUID feae299d-e34f-4fc9-8545-486d0905bd41 which can be used as unique global reference for Sunbird - S1082 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1082 - webarchive
• https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict - webarchive

Associated metadata

Metadata key	Value
external_id	S1082
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

WINERACK - S0219

WINERACK is a backdoor used by APT37. (Citation: FireEye APT37 Feb 2018)

Internal MISP references

UUID 49abab73-3c5c-476e-afd5-69b5c732d845 which can be used as unique global reference for WINERACK - S0219 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0219 - webarchive
• https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0219

Related clusters

To see the related clusters, click here.

PJApps - S0291

PJApps is an Android malware family. (Citation: Lookout-EnterpriseApps)

Internal MISP references

UUID c709da93-20c3-4d17-ab68-48cba76b2137 which can be used as unique global reference for PJApps - S0291 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0291 - webarchive
• https://blog.lookout.com/blog/2016/05/25/spoofed-apps/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0291

Related clusters

To see the related clusters, click here.

Escobar - S1092

Escobar is an Android banking trojan, first detected in March 2021, believed to be a new variant of AbereBot.(Citation: Bleeipng Computer Escobar)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Escobar - S1092.

Known Synonyms
Escobar

Internal MISP references

UUID ec13d292-6d8d-4c7a-b07c-a2bd2402569a which can be used as unique global reference for Escobar - S1092 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1092 - webarchive
• https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1092
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

DCSrv - S1033

DCSrv is destructive malware that has been used by Moses Staff since at least September 2021. Though DCSrv has ransomware-like capabilities, Moses Staff does not demand ransom or offer a decryption key.(Citation: Checkpoint MosesStaff Nov 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DCSrv - S1033.

Known Synonyms
DCSrv

Internal MISP references

UUID 5633ffd3-81ef-4f98-8f93-4896b03998f0 which can be used as unique global reference for DCSrv - S1033 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1033 - webarchive
• https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1033
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

RuMMS - S0313

RuMMS is an Android malware family. (Citation: FireEye-RuMMS)

Internal MISP references

UUID 936be60d-90eb-4c36-9247-4b31128432c4 which can be used as unique global reference for RuMMS - S0313 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0313 - webarchive
• https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0313

Related clusters

To see the related clusters, click here.

HotCroissant - S0431

HotCroissant is a remote access trojan (RAT) attributed by U.S. government entities to malicious North Korean government cyber activity, tracked collectively as HIDDEN COBRA.(Citation: US-CERT HOTCROISSANT February 2020) HotCroissant shares numerous code similarities with Rifdoor.(Citation: Carbon Black HotCroissant April 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HotCroissant - S0431.

Known Synonyms
HotCroissant

Internal MISP references

UUID aad11e34-02ca-4220-91cd-2ed420af4db3 which can be used as unique global reference for HotCroissant - S0431 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0431 - webarchive
• https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/ - webarchive
• https://www.us-cert.gov/ncas/analysis-reports/ar20-045d - webarchive

Associated metadata

Metadata key	Value
external_id	S0431
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Downdelph - S0134

Downdelph is a first-stage downloader written in Delphi that has been used by APT28 in rare instances between 2013 and 2015. (Citation: ESET Sednit Part 3)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Downdelph - S0134.

Known Synonyms
Delphacy
Downdelph

Internal MISP references

UUID 08d20cd2-f084-45ee-8558-fa6ef5a18519 which can be used as unique global reference for Downdelph - S0134 in MISP communities and other software using the MISP galaxy

External references

• http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf - webarchive
• https://attack.mitre.org/software/S0134 - webarchive

Associated metadata

Metadata key	Value
external_id	S0134
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Flame - S0143

Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. (Citation: Kaspersky Flame)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Flame - S0143.

Known Synonyms
Flame
Flamer
sKyWIper

Internal MISP references

UUID ff6840c9-4c87-4d07-bbb6-9f50aa33d498 which can be used as unique global reference for Flame - S0143 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0143 - webarchive
• https://securelist.com/the-flame-questions-and-answers-51/34344/ - webarchive
• https://www.crysys.hu/publications/files/skywiper.pdf - webarchive
• https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache - webarchive

Associated metadata

Metadata key	Value
external_id	S0143
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

StrifeWater - S1034

StrifeWater is a remote-access tool that has been used by Moses Staff in the initial stages of their attacks since at least November 2021.(Citation: Cybereason StrifeWater Feb 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular StrifeWater - S1034.

Known Synonyms
StrifeWater

Internal MISP references

UUID fb78294a-7d7a-4d38-8ad0-92e67fddc9f0 which can be used as unique global reference for StrifeWater - S1034 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1034 - webarchive
• https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations - webarchive

Associated metadata

Metadata key	Value
external_id	S1034
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Xbash - S0341

Xbash is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. Xbash was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.(Citation: Unit42 Xbash Sept 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Xbash - S0341.

Known Synonyms
Xbash

Internal MISP references

UUID 6a92d80f-cc65-45f6-aa66-3cdea6786b3c which can be used as unique global reference for Xbash - S0341 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0341 - webarchive
• https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0341
mitre_platforms	['Windows', 'Linux']

Related clusters

To see the related clusters, click here.

Final1stspy - S0355

Final1stspy is a dropper family that has been used to deliver DOGCALL.(Citation: Unit 42 Nokki Oct 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Final1stspy - S0355.

Known Synonyms
Final1stspy

Internal MISP references

UUID a2282af0-f9dd-4373-9b92-eaf9e11e0c71 which can be used as unique global reference for Final1stspy - S0355 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0355 - webarchive
• https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0355
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

AvosLocker - S1053

AvosLocker is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, AvosLocker had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.(Citation: Malwarebytes AvosLocker Jul 2021)(Citation: Trend Micro AvosLocker Apr 2022)(Citation: Joint CSA AvosLocker Mar 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AvosLocker - S1053.

Known Synonyms
AvosLocker

Internal MISP references

UUID 0945a1a5-a79a-47c8-9079-10c16cdfcb5d which can be used as unique global reference for AvosLocker - S1053 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1053 - webarchive
• https://www.ic3.gov/Media/News/2022/220318.pdf - webarchive
• https://www.malwarebytes.com/blog/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners - webarchive
• https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker - webarchive

Associated metadata

Metadata key	Value
external_id	S1053
mitre_platforms	['Linux', 'Windows']

Related clusters

To see the related clusters, click here.

Cannon - S0351

Cannon is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. (Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cannon - S0351.

Known Synonyms
Cannon

Internal MISP references

UUID d20b397a-ea47-48a9-b503-2e2a3551e11d which can be used as unique global reference for Cannon - S0351 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0351 - webarchive
• https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/ - webarchive
• https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0351
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

HIDEDRV - S0135

HIDEDRV is a rootkit used by APT28. It has been deployed along with Downdelph to execute and hide that malware. (Citation: ESET Sednit Part 3) (Citation: Sekoia HideDRV Oct 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HIDEDRV - S0135.

Known Synonyms
HIDEDRV

Internal MISP references

UUID e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4 which can be used as unique global reference for HIDEDRV - S0135 in MISP communities and other software using the MISP galaxy

External references

• http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf - webarchive
• http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf - webarchive
• https://attack.mitre.org/software/S0135 - webarchive

Associated metadata

Metadata key	Value
external_id	S0135
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

LiteDuke - S0513

LiteDuke is a third stage backdoor that was used by APT29, primarily in 2014-2015. LiteDuke used the same dropper as PolyglotDuke, and was found on machines also compromised by MiniDuke.(Citation: ESET Dukes October 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LiteDuke - S0513.

Known Synonyms
LiteDuke

Internal MISP references

UUID 95e2cbae-d82c-4f7b-b63c-16462015d35d which can be used as unique global reference for LiteDuke - S0513 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0513 - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0513
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

DualToy - S0315

DualToy is Windows malware that installs malicious applications onto Android and iOS devices connected over USB. (Citation: PaloAlto-DualToy)

Internal MISP references

UUID 507fe748-5e4a-4b45-9e9f-8b1115f4e878 which can be used as unique global reference for DualToy - S0315 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0315 - webarchive
• https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0315

Related clusters

To see the related clusters, click here.

Grandoreiro - S0531

Grandoreiro is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. Grandoreiro has confirmed victims in Brazil, Mexico, Portugal, and Spain.(Citation: Securelist Brazilian Banking Malware July 2020)(Citation: ESET Grandoreiro April 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Grandoreiro - S0531.

Known Synonyms
Grandoreiro

Internal MISP references

UUID 958b5d06-8bb0-4c5b-a2e7-0130fe654ac7 which can be used as unique global reference for Grandoreiro - S0531 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0531 - webarchive
• https://securelist.com/the-tetrade-brazilian-banking-malware/97779/ - webarchive
• https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0531
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

RedLeaves - S0153

RedLeaves is a malware family used by menuPass. The code overlaps with PlugX and may be based upon the open source tool Trochilus. (Citation: PWC Cloud Hopper Technical Annex April 2017) (Citation: FireEye APT10 April 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RedLeaves - S0153.

Known Synonyms
BUGJUICE
RedLeaves

Internal MISP references

UUID 17b40f60-729f-4fe8-8aea-cc9ee44a95d5 which can be used as unique global reference for RedLeaves - S0153 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0153 - webarchive
• https://twitter.com/ItsReallyNick/status/850105140589633536 - webarchive
• https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html - webarchive
• https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0153
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Snip3 - S1086

Snip3 is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including AsyncRAT, Revenge RAT, Agent Tesla, and NETWIRE.(Citation: Morphisec Snip3 May 2021)(Citation: Telefonica Snip3 December 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Snip3 - S1086.

Known Synonyms
Snip3

Internal MISP references

UUID 4327aff5-f194-440c-b499-4d9730cc1eab which can be used as unique global reference for Snip3 - S1086 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1086 - webarchive
• https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader - webarchive
• https://telefonicatech.com/blog/snip3-investigacion-malware - webarchive

Associated metadata

Metadata key	Value
external_id	S1086
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

USBStealer - S0136

USBStealer is malware that has been used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL. (Citation: ESET Sednit USBStealer 2014) (Citation: Kaspersky Sofacy)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular USBStealer - S0136.

Known Synonyms
USB Stealer
USBStealer
Win32/USBStealer

Internal MISP references

UUID af2ad3b7-ab6a-4807-91fd-51bcaff9acbb which can be used as unique global reference for USBStealer - S0136 in MISP communities and other software using the MISP galaxy

External references

• http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/ - webarchive
• https://attack.mitre.org/software/S0136 - webarchive
• https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0136
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Chaes - S0631

Chaes is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. Chaes was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.(Citation: Cybereason Chaes Nov 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Chaes - S0631.

Known Synonyms
Chaes

Internal MISP references

UUID 77e0ecf7-ca91-4c06-8012-8e728986a87a which can be used as unique global reference for Chaes - S0631 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0631 - webarchive
• https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0631
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Janicab - S0163

Janicab is an OS X trojan that relied on a valid developer ID and oblivious users to install it. (Citation: Janicab)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Janicab - S0163.

Known Synonyms
Janicab

Internal MISP references

UUID 234e7770-99b0-4f65-b983-d3230f76a60b which can be used as unique global reference for Janicab - S0163 in MISP communities and other software using the MISP galaxy

External references

• http://www.thesafemac.com/new-signed-malware-called-janicab/ - webarchive
• https://attack.mitre.org/software/S0163 - webarchive

Associated metadata

Metadata key	Value
external_id	S0163
mitre_platforms	['macOS']

Related clusters

To see the related clusters, click here.

STARWHALE - S1037

STARWHALE is Windows Script File (WSF) backdoor that has been used by MuddyWater, possibly since at least November 2021; there is also a STARWHALE variant written in Golang with similar capabilities. Security researchers have also noted the use of STARWHALE by UNC3313, which may be associated with MuddyWater.(Citation: Mandiant UNC3313 Feb 2022)(Citation: DHS CISA AA22-055A MuddyWater February 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular STARWHALE - S1037.

Known Synonyms
CANOPY
STARWHALE

Internal MISP references

UUID e355fc84-6f3c-4888-8e0a-d7fa9c378532 which can be used as unique global reference for STARWHALE - S1037 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1037 - webarchive
• https://www.cisa.gov/uscert/ncas/alerts/aa22-055a - webarchive
• https://www.mandiant.com/resources/telegram-malware-iranian-espionage - webarchive

Associated metadata

Metadata key	Value
external_id	S1037
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

CORESHELL - S0137

CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.(Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CORESHELL - S0137.

Known Synonyms
CORESHELL
SOURFACE
Sofacy

Internal MISP references

UUID 60c18d06-7b91-4742-bae3-647845cd9d81 which can be used as unique global reference for CORESHELL - S0137 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0137 - webarchive
• https://securelist.com/a-slice-of-2017-sofacy-activity/83930/ - webarchive
• https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf - webarchive
• https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0137
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

FLIPSIDE - S0173

FLIPSIDE is a simple tool similar to Plink that is used by FIN5 to maintain access to victims. (Citation: Mandiant FIN5 GrrCON Oct 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FLIPSIDE - S0173.

Known Synonyms
FLIPSIDE

Internal MISP references

UUID 0e18b800-906c-4e44-a143-b11c72b3448b which can be used as unique global reference for FLIPSIDE - S0173 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0173 - webarchive
• https://www.youtube.com/watch?v=fevGZs0EQu8 - webarchive

Associated metadata

Metadata key	Value
external_id	S0173
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

POWERTON - S0371

POWERTON is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a late-stage backdoor by APT33. At least two variants of the backdoor have been identified, with the later version containing improved functionality.(Citation: FireEye APT33 Guardrail)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular POWERTON - S0371.

Known Synonyms
POWERTON

Internal MISP references

UUID e85cae1a-bce3-4ac4-b36b-b00acac0567b which can be used as unique global reference for POWERTON - S0371 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0371 - webarchive
• https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0371
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Marcher - S0317

Marcher is Android malware that is used for financial fraud. (Citation: Proofpoint-Marcher)

Internal MISP references

UUID f9854ba6-989d-43bf-828b-7240b8a65291 which can be used as unique global reference for Marcher - S0317 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0317 - webarchive
• https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks - webarchive

Associated metadata

Metadata key	Value
external_id	S0317

Related clusters

To see the related clusters, click here.

Royal - S1073

Royal is ransomware that first appeared in early 2022; a version that also targets ESXi servers was later observed in February 2023. Royal employs partial encryption and multiple threads to evade detection and speed encryption. Royal has been used in attacks against multiple industries worldwide--including critical infrastructure. Security researchers have identified similarities in the encryption routines and TTPs used in Royal and Conti attacks and noted a possible connection between their operators.(Citation: Microsoft Royal ransomware November 2022)(Citation: Cybereason Royal December 2022)(Citation: Kroll Royal Deep Dive February 2023)(Citation: Trend Micro Royal Linux ESXi February 2023)(Citation: CISA Royal AA23-061A March 2023)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Royal - S1073.

Known Synonyms
Royal

Internal MISP references

UUID 802a874d-7463-4f2a-99e3-6a1f5a919a21 which can be used as unique global reference for Royal - S1073 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1073 - webarchive
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a - webarchive
• https://www.cybereason.com/blog/royal-ransomware-analysis - webarchive
• https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive - webarchive
• https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/ - webarchive
• https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html - webarchive

Associated metadata

Metadata key	Value
external_id	S1073
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

OLDBAIT - S0138

OLDBAIT is a credential harvester used by APT28. (Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OLDBAIT - S0138.

Known Synonyms
OLDBAIT
Sasfis

Internal MISP references

UUID 2dd34b01-6110-4aac-835d-b5e7b936b0be which can be used as unique global reference for OLDBAIT - S0138 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0138 - webarchive
• https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf - webarchive
• https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0138
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

FlawedAmmyy - S0381

FlawedAmmyy is a remote access tool (RAT) that was first seen in early 2016. The code for FlawedAmmyy was based on leaked source code for a version of Ammyy Admin, a remote access software.(Citation: Proofpoint TA505 Mar 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FlawedAmmyy - S0381.

Known Synonyms
FlawedAmmyy

Internal MISP references

UUID 432555de-63bf-4f2a-a3fa-f720a4561078 which can be used as unique global reference for FlawedAmmyy - S0381 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0381 - webarchive
• https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware - webarchive

Associated metadata

Metadata key	Value
external_id	S0381
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Chameleon - S1083

Chameleon is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, Chameleon has been observed targeting users in Australia and Poland by masquerading as official apps.(Citation: cyble_chameleon_0423)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Chameleon - S1083.

Known Synonyms
Chameleon

Internal MISP references

UUID 2cf00c5a-857d-4cb6-8f03-82f15bee0f6f which can be used as unique global reference for Chameleon - S1083 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1083 - webarchive
• https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1083
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

HAWKBALL - S0391

HAWKBALL is a backdoor that was observed in targeting of the government sector in Central Asia.(Citation: FireEye HAWKBALL Jun 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HAWKBALL - S0391.

Known Synonyms
HAWKBALL

Internal MISP references

UUID 12a7450d-b03e-4990-a5b8-b405ab9c803b which can be used as unique global reference for HAWKBALL - S0391 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0391 - webarchive
• https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0391
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Allwinner - S0319

Allwinner is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by Allwinner for use on these devices reportedly contained a backdoor. (Citation: HackerNews-Allwinner)

Internal MISP references

UUID 08784a9d-09e9-4dce-a839-9612398214e8 which can be used as unique global reference for Allwinner - S0319 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0319 - webarchive
• https://thehackernews.com/2016/05/android-kernal-exploit.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0319

Related clusters

To see the related clusters, click here.

Bumblebee - S1039

Bumblebee is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. Bumblebee has been linked to ransomware operations including Conti, Quantum, and Mountlocker and derived its name from the appearance of "bumblebee" in the user-agent.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bumblebee - S1039.

Known Synonyms
Bumblebee

Internal MISP references

UUID 04378e79-4387-468a-a8f7-f974b8254e44 which can be used as unique global reference for Bumblebee - S1039 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1039 - webarchive
• https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/ - webarchive
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime - webarchive
• https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming - webarchive

Associated metadata

Metadata key	Value
external_id	S1039
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

PowerDuke - S0139

PowerDuke is a backdoor that was used by APT29 in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros. (Citation: Volexity PowerDuke November 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PowerDuke - S0139.

Known Synonyms
PowerDuke

Internal MISP references

UUID 00c3bfcb-99bd-4767-8c03-b08f585f5c8a which can be used as unique global reference for PowerDuke - S0139 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0139 - webarchive
• https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0139
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

FlyTrap - S1093

FlyTrap is an Android trojan, first detected in March 2021, that uses social engineering tactics to compromise Facebook accounts. FlyTrap was initially detected through infected apps on the Google Play store, and is believed to have impacted over 10,000 victims across at least 140 countries.(Citation: Trend Micro FlyTrap)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FlyTrap - S1093.

Known Synonyms
FlyTrap

Internal MISP references

UUID 8338393c-cb2e-4ee6-b944-34672499c785 which can be used as unique global reference for FlyTrap - S1093 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1093 - webarchive
• https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1093
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

BabyShark - S0414

BabyShark is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. (Citation: Unit42 BabyShark Feb 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BabyShark - S0414.

Known Synonyms
BabyShark

Internal MISP references

UUID d1b7830a-fced-4be3-a99c-f495af9d9e1b which can be used as unique global reference for BabyShark - S0414 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0414 - webarchive
• https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/ - webarchive
• https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0414
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

ChChes - S0144

ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. (Citation: Palo Alto menuPass Feb 2017) (Citation: JPCERT ChChes Feb 2017) (Citation: PWC Cloud Hopper Technical Annex April 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ChChes - S0144.

Known Synonyms
ChChes
HAYMAKER
Scorpion

Internal MISP references

UUID dc5d1a33-62aa-4a0c-aa8c-589b87beb11e which can be used as unique global reference for ChChes - S0144 in MISP communities and other software using the MISP galaxy

External references

• http://blog.jpcert.or.jp/2017/02/chches-malware--93d6.html - webarchive
• http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/ - webarchive
• https://attack.mitre.org/software/S0144 - webarchive
• https://twitter.com/ItsReallyNick/status/850105140589633536 - webarchive
• https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html - webarchive
• https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0144
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

FunnyDream - S1044

FunnyDream is a backdoor with multiple components that was used during the FunnyDream campaign since at least 2019, primarily for execution and exfiltration.(Citation: Bitdefender FunnyDream Campaign November 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FunnyDream - S1044.

Known Synonyms
FunnyDream

Internal MISP references

UUID be25c1c0-1590-4219-a3d5-6f31799d1d1b which can be used as unique global reference for FunnyDream - S1044 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1044 - webarchive
• https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S1044
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

PowerShower - S0441

PowerShower is a PowerShell backdoor used by Inception for initial reconnaissance and to download and execute second stage payloads.(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas August 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PowerShower - S0441.

Known Synonyms
PowerShower

Internal MISP references

UUID 53486bc7-7748-4716-8190-e4f1fde04c53 which can be used as unique global reference for PowerShower - S0441 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0441 - webarchive
• https://securelist.com/recent-cloud-atlas-activity/92016/ - webarchive
• https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0441
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BOOSTWRITE - S0415

BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications used by FIN7.(Citation: FireEye FIN7 Oct 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BOOSTWRITE - S0415.

Known Synonyms
BOOSTWRITE

Internal MISP references

UUID 56d10a7f-bb42-4267-9b4c-63abb9c06010 which can be used as unique global reference for BOOSTWRITE - S0415 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0415 - webarchive
• https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0415
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

POWERSOURCE - S0145

POWERSOURCE is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. (Citation: FireEye FIN7 March 2017) (Citation: Cisco DNSMessenger March 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular POWERSOURCE - S0145.

Known Synonyms
DNSMessenger
POWERSOURCE

Internal MISP references

UUID 17e919aa-4a49-445c-b103-dbb8df9e7351 which can be used as unique global reference for POWERSOURCE - S0145 in MISP communities and other software using the MISP galaxy

External references

• http://blog.talosintelligence.com/2017/03/dnsmessenger.html - webarchive
• https://attack.mitre.org/software/S0145 - webarchive
• https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0145
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Drinik - S1054

Drinik is an evolving Android banking trojan that was observed targeting customers of around 27 banks in India in August 2021. Initially seen as an SMS stealer in 2016, Drinik resurfaced as a banking trojan with more advanced capabilities included in subsequent versions between September 2021 and August 2022.(Citation: cyble_drinik_1022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Drinik - S1054.

Known Synonyms
Drinik

Internal MISP references

UUID d6e009b7-df5e-447a-bfd2-d5b77374edfe which can be used as unique global reference for Drinik - S1054 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1054 - webarchive
• https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1054
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

LoudMiner - S0451

LoudMiner is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.(Citation: ESET LoudMiner June 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LoudMiner - S0451.

Known Synonyms
LoudMiner

Internal MISP references

UUID f99f3dcc-683f-4936-8791-075ac5e58f10 which can be used as unique global reference for LoudMiner - S0451 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0451 - webarchive
• https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0451
mitre_platforms	['macOS', 'Windows']

Related clusters

To see the related clusters, click here.

WellMess - S0514

WellMess is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by APT29.(Citation: CISA WellMess July 2020)(Citation: PWC WellMess July 2020)(Citation: NCSC APT29 July 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WellMess - S0514.

Known Synonyms
WellMess

Internal MISP references

UUID 3a4197ae-ec63-4162-907b-9a073d1157e4 which can be used as unique global reference for WellMess - S0514 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0514 - webarchive
• https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b - webarchive
• https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf - webarchive
• https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0514
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

TEXTMATE - S0146

TEXTMATE is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with POWERSOURCE in February 2017. (Citation: FireEye FIN7 March 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TEXTMATE - S0146.

Known Synonyms
DNSMessenger
TEXTMATE

Internal MISP references

UUID 4f6aa78c-c3d4-4883-9840-96ca2f5d6d47 which can be used as unique global reference for TEXTMATE - S0146 in MISP communities and other software using the MISP galaxy

External references

• http://blog.talosintelligence.com/2017/03/dnsmessenger.html - webarchive
• https://attack.mitre.org/software/S0146 - webarchive
• https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0146
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

CostaBricks - S0614

CostaBricks is a loader that was used to deploy 32-bit backdoors in the CostaRicto campaign.(Citation: BlackBerry CostaRicto November 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CostaBricks - S0614.

Known Synonyms
CostaBricks

Internal MISP references

UUID 5d342981-5194-41e7-b33f-8e91998d7d88 which can be used as unique global reference for CostaBricks - S0614 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0614 - webarchive
• https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced - webarchive

Associated metadata

Metadata key	Value
external_id	S0614
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SDBbot - S0461

SDBbot is a backdoor with installer and loader components that has been used by TA505 since at least 2019.(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SDBbot - S0461.

Known Synonyms
SDBbot

Internal MISP references

UUID 92b03a94-7147-4952-9d5a-b4d24da7487c which can be used as unique global reference for SDBbot - S0461 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0461 - webarchive
• https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/ - webarchive
• https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader - webarchive

Associated metadata

Metadata key	Value
external_id	S0461
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SVCReady - S1064

SVCReady is a loader that has been used since at least April 2022 in malicious spam campaigns. Security researchers have noted overlaps between TA551 activity and SVCReady distribution, including similarities in file names, lure images, and identical grammatical errors.(Citation: HP SVCReady Jun 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SVCReady - S1064.

Known Synonyms
SVCReady

Internal MISP references

UUID 7230ded7-3b1a-4d6e-9735-d0ffd47af9f6 which can be used as unique global reference for SVCReady - S1064 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1064 - webarchive
• https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1064
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

RDFSNIFFER - S0416

RDFSNIFFER is a module loaded by BOOSTWRITE which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.(Citation: FireEye FIN7 Oct 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RDFSNIFFER - S0416.

Known Synonyms
RDFSNIFFER

Internal MISP references

UUID 065196de-d7e8-4888-acfb-b2134022ba1b which can be used as unique global reference for RDFSNIFFER - S0416 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0416 - webarchive
• https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0416
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

TDTESS - S0164

TDTESS is a 64-bit .NET binary backdoor used by CopyKittens. (Citation: ClearSky Wilted Tulip July 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TDTESS - S0164.

Known Synonyms
TDTESS

Internal MISP references

UUID 0b32ec39-ba61-4864-9ebe-b4b0b73caf9a which can be used as unique global reference for TDTESS - S0164 in MISP communities and other software using the MISP galaxy

External references

• http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf - webarchive
• https://attack.mitre.org/software/S0164 - webarchive

Associated metadata

Metadata key	Value
external_id	S0164
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

PowGoop - S1046

PowGoop is a loader that consists of a DLL loader and a PowerShell-based downloader; it has been used by MuddyWater as their main loader.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: CYBERCOM Iranian Intel Cyber January 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PowGoop - S1046.

Known Synonyms
PowGoop

Internal MISP references

UUID c19d19ae-dd58-4584-8469-966bbeaa80e3 which can be used as unique global reference for PowGoop - S1046 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1046 - webarchive
• https://www.cisa.gov/uscert/ncas/alerts/aa22-055a - webarchive
• https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1046
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Kobalos - S0641

Kobalos is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. Kobalos has been deployed against high profile targets, including high-performance computers, academic servers, an endpoint security vendor, and a large internet service provider; it has been found in Europe, North America, and Asia. Kobalos was first identified in late 2019.(Citation: ESET Kobalos Feb 2021)(Citation: ESET Kobalos Jan 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kobalos - S0641.

Known Synonyms
Kobalos

Internal MISP references

UUID 9abdda30-08e0-4ab1-9cf0-d447654c6de9 which can be used as unique global reference for Kobalos - S0641 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0641 - webarchive
• https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/ - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0641
mitre_platforms	['Linux']

Related clusters

To see the related clusters, click here.

ANDROMEDA - S1074

ANDROMEDA is commodity malware that was widespread in the early 2010's and continues to be observed in infections across a wide variety of industries. During the 2022 C0026 campaign, threat actors re-registered expired ANDROMEDA C2 domains to spread malware to select targets in Ukraine.(Citation: Mandiant Suspected Turla Campaign February 2023)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ANDROMEDA - S1074.

Known Synonyms
ANDROMEDA

Internal MISP references

UUID dcd9548e-df9e-47c2-81f3-bc084289959d which can be used as unique global reference for ANDROMEDA - S1074 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1074 - webarchive
• https://www.mandiant.com/resources/blog/turla-galaxy-opportunity - webarchive

Associated metadata

Metadata key	Value
external_id	S1074
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

GRIFFON - S0417

GRIFFON is a JavaScript backdoor used by FIN7. (Citation: SecureList Griffon May 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GRIFFON - S0417.

Known Synonyms
GRIFFON

Internal MISP references

UUID 04fc1842-f9e4-47cf-8cb8-5c61becad142 which can be used as unique global reference for GRIFFON - S0417 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0417 - webarchive
• https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0417
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Mori - S1047

Mori is a backdoor that has been used by MuddyWater since at least January 2022.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: CYBERCOM Iranian Intel Cyber January 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mori - S1047.

Known Synonyms
Mori

Internal MISP references

UUID 7e100ca4-e639-48d9-9a9d-8ad84aa7b448 which can be used as unique global reference for Mori - S1047 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1047 - webarchive
• https://www.cisa.gov/uscert/ncas/alerts/aa22-055a - webarchive
• https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1047
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Pteranodon - S0147

Pteranodon is a custom backdoor used by Gamaredon Group. (Citation: Palo Alto Gamaredon Feb 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pteranodon - S0147.

Known Synonyms
Pteranodon
Pterodo

Internal MISP references

UUID 5f9f7648-04ba-4a9f-bb4c-2a13e74572bd which can be used as unique global reference for Pteranodon - S0147 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0147 - webarchive
• https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/ - webarchive
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine - webarchive
• https://www.secureworks.com/research/threat-profiles/iron-tilden - webarchive

Associated metadata

Metadata key	Value
external_id	S0147
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

build_downer - S0471

build_downer is a downloader that has been used by BRONZE BUTLER since at least 2019.(Citation: Trend Micro Tick November 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular build_downer - S0471.

Known Synonyms
build_downer

Internal MISP references

UUID d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40 which can be used as unique global reference for build_downer - S0471 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0471 - webarchive
• https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0471
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

QUIETEXIT - S1084

QUIETEXIT is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by APT29 since at least 2021. APT29 has deployed QUIETEXIT on opaque network appliances that typically don't support antivirus or endpoint detection and response tools within a victim environment.(Citation: Mandiant APT29 Eye Spy Email Nov 22)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QUIETEXIT - S1084.

Known Synonyms
QUIETEXIT

Internal MISP references

UUID 4816d361-f82b-4a18-aa05-b215e7cf9200 which can be used as unique global reference for QUIETEXIT - S1084 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1084 - webarchive
• https://www.mandiant.com/resources/blog/unc3524-eye-spy-email - webarchive

Associated metadata

Metadata key	Value
external_id	S1084
mitre_platforms	['Network']

Related clusters

To see the related clusters, click here.

POWRUNER - S0184

POWRUNER is a PowerShell script that sends and receives commands to and from the C2 server. (Citation: FireEye APT34 Dec 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular POWRUNER - S0184.

Known Synonyms
POWRUNER

Internal MISP references

UUID 09b2cd76-c674-47cc-9f57-d2f2ad150a46 which can be used as unique global reference for POWRUNER - S0184 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0184 - webarchive
• https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0184
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

ViceLeaker - S0418

ViceLeaker is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ViceLeaker - S0418.

Known Synonyms
Triout
ViceLeaker

Internal MISP references

UUID 6fcaf9b0-b509-4644-9f93-556222c81ed2 which can be used as unique global reference for ViceLeaker - S0418 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0418 - webarchive
• https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/ - webarchive
• https://securelist.com/fanning-the-flames-viceleaker-operation/90877/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0418
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

RTM - S0148

RTM is custom malware written in Delphi. It is used by the group of the same name (RTM). Newer versions of the malware have been reported publicly as Redaman.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RTM - S0148.

Known Synonyms
RTM
Redaman

Internal MISP references

UUID 92ec0cbd-2c30-44a2-b270-73f4ec949841 which can be used as unique global reference for RTM - S0148 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0148 - webarchive
• https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/ - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0148
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BRATA - S1094

BRATA (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, BRATA was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of BRATA.(Citation: securelist_brata_0819)(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BRATA - S1094.

Known Synonyms
BRATA

Internal MISP references

UUID 5aff44ab-5a41-49bb-b5d1-b4876d0437f4 which can be used as unique global reference for BRATA - S1094 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1094 - webarchive
• https://securelist.com/spying-android-rat-from-brazil-brata/92775/ - webarchive
• https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account - webarchive
• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1094
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

SUGARUSH - S1049

SUGARUSH is a small custom backdoor that can establish a reverse shell over TCP to a hard coded C2 address. SUGARUSH was first identified during analysis of UNC3890's C0010 campaign targeting Israeli companies, which began in late 2020.(Citation: Mandiant UNC3890 Aug 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SUGARUSH - S1049.

Known Synonyms
SUGARUSH

Internal MISP references

UUID 44e2a842-415b-47f4-8549-83fbdb8a5674 which can be used as unique global reference for SUGARUSH - S1049 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1049 - webarchive
• https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping - webarchive

Associated metadata

Metadata key	Value
external_id	S1049
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SimBad - S0419

SimBad was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name "SimBad" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.(Citation: CheckPoint SimBad 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SimBad - S0419.

Known Synonyms
SimBad

Internal MISP references

UUID f79c01eb-2954-40d8-a819-00b342f47ce7 which can be used as unique global reference for SimBad - S0419 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0419 - webarchive
• https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0419
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

MoonWind - S0149

MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. (Citation: Palo Alto MoonWind March 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MoonWind - S0149.

Known Synonyms
MoonWind

Internal MISP references

UUID 9ea525fa-b0a9-4dde-84f2-bcea0137b3c1 which can be used as unique global reference for MoonWind - S0149 in MISP communities and other software using the MISP galaxy

External references

• http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/ - webarchive
• https://attack.mitre.org/software/S0149 - webarchive

Associated metadata

Metadata key	Value
external_id	S0149
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

StrongPity - S0491

StrongPity is an information stealing malware used by PROMETHIUM.(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular StrongPity - S0491.

Known Synonyms
StrongPity

Internal MISP references

UUID 20945359-3b39-4542-85ef-08ecb4e1c174 which can be used as unique global reference for StrongPity - S0491 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0491 - webarchive
• https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html - webarchive
• https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0491
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SharkBot - S1055

SharkBot is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.(Citation: nccgroup_sharkbot_0322)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SharkBot - S1055.

Known Synonyms
SharkBot

Internal MISP references

UUID 9cd72f5c-bec0-4f7e-bb6d-296937116291 which can be used as unique global reference for SharkBot - S1055 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1055 - webarchive
• https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1055
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

WINDSHIELD - S0155

WINDSHIELD is a signature backdoor used by APT32. (Citation: FireEye APT32 May 2017)

Internal MISP references

UUID 98e8a977-3416-43aa-87fa-33e287e9c14c which can be used as unique global reference for WINDSHIELD - S0155 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0155 - webarchive
• https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0155

Related clusters

To see the related clusters, click here.

GoldenEagle - S0551

GoldenEagle is a piece of Android malware that has been used in targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China. Samples have been found as early as 2012.(Citation: Lookout Uyghur Campaign)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GoldenEagle - S0551.

Known Synonyms
GoldenEagle

Internal MISP references

UUID 0b9c5d11-651a-4378-b129-5c584d0242c5 which can be used as unique global reference for GoldenEagle - S0551 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0551 - webarchive
• https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0551

Related clusters

To see the related clusters, click here.

WellMail - S0515

WellMail is a lightweight malware written in Golang used by APT29, similar in design and structure to WellMess.(Citation: CISA WellMail July 2020)(Citation: NCSC APT29 July 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WellMail - S0515.

Known Synonyms
WellMail

Internal MISP references

UUID 959f3b19-2dc8-48d5-8942-c66813a5101a which can be used as unique global reference for WellMail - S0515 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0515 - webarchive
• https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c - webarchive
• https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0515
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SombRAT - S0615

SombRAT is a modular backdoor written in C++ that has been used since at least 2019 to download and execute malicious payloads, including FIVEHANDS ransomware.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SombRAT - S0615.

Known Synonyms
SombRAT

Internal MISP references

UUID 425771c5-48b4-4ecd-9f95-74ed3fc9da59 which can be used as unique global reference for SombRAT - S0615 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0615 - webarchive
• https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced - webarchive
• https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a - webarchive
• https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0615
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BoxCaon - S0651

BoxCaon is a Windows backdoor that was used by IndigoZebra in a 2021 spearphishing campaign against Afghan government officials. BoxCaon's name stems from similarities shared with the malware family xCaon.(Citation: Checkpoint IndigoZebra July 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BoxCaon - S0651.

Known Synonyms
BoxCaon

Internal MISP references

UUID 919a056e-5104-43b9-ad55-2ac929108b71 which can be used as unique global reference for BoxCaon - S0651 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0651 - webarchive
• https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/ - webarchive
• https://thehackernews.com/2021/07/indigozebra-apt-hacking-campaign.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0651
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SoreFang - S0516

SoreFang is first stage downloader used by APT29 for exfiltration and to load other malware.(Citation: NCSC APT29 July 2020)(Citation: CISA SoreFang July 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SoreFang - S0516.

Known Synonyms
SoreFang

Internal MISP references

UUID e33e4603-afab-402d-b2a1-248d435b5fe0 which can be used as unique global reference for SoreFang - S0516 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0516 - webarchive
• https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a - webarchive
• https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0516
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

KOMPROGO - S0156

KOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management. (Citation: FireEye APT32 May 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KOMPROGO - S0156.

Known Synonyms
KOMPROGO

Internal MISP references

UUID 7dbb67c7-270a-40ad-836e-c45f8948aa5a which can be used as unique global reference for KOMPROGO - S0156 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0156 - webarchive
• https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0156
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

GuLoader - S0561

GuLoader is a file downloader that has been used since at least December 2019 to distribute a variety of remote administration tool (RAT) malware, including NETWIRE, Agent Tesla, NanoCore, FormBook, and Parallax RAT.(Citation: Unit 42 NETWIRE April 2020)(Citation: Medium Eli Salem GuLoader April 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GuLoader - S0561.

Known Synonyms
GuLoader

Internal MISP references

UUID 45c759ac-b490-48bb-80d4-c8eee3431027 which can be used as unique global reference for GuLoader - S0561 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0561 - webarchive
• https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4 - webarchive
• https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0561
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

OSInfo - S0165

OSInfo is a custom tool used by APT3 to do internal discovery on a victim's computer and network. (Citation: Symantec Buckeye)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OSInfo - S0165.

Known Synonyms
OSInfo

Internal MISP references

UUID f6d1d2cb-12f5-4221-9636-44606ea1f3f8 which can be used as unique global reference for OSInfo - S0165 in MISP communities and other software using the MISP galaxy

External references

• http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong - webarchive
• https://attack.mitre.org/software/S0165 - webarchive

Associated metadata

Metadata key	Value
external_id	S0165
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

TianySpy - S1056

TianySpy is a mobile malware primarily spread by SMS phishing between September 30 and October 12, 2021. TianySpy is believed to have targeted credentials associated with membership websites of major Japanese telecommunication services.(Citation: trendmicro_tianyspy_0122)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TianySpy - S1056.

Known Synonyms
TianySpy

Internal MISP references

UUID fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6 which can be used as unique global reference for TianySpy - S1056 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1056 - webarchive
• https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html - webarchive

Associated metadata

Metadata key	Value
external_id	S1056
mitre_platforms	['Android', 'iOS']

Related clusters

To see the related clusters, click here.

KOPILUWAK - S1075

KOPILUWAK is a JavaScript-based reconnaissance tool that has been used for victim profiling and C2 since at least 2017.(Citation: Mandiant Suspected Turla Campaign February 2023)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KOPILUWAK - S1075.

Known Synonyms
KOPILUWAK

Internal MISP references

UUID 09fcc02f-f9d4-43fa-8609-5e5e186b7103 which can be used as unique global reference for KOPILUWAK - S1075 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1075 - webarchive
• https://www.mandiant.com/resources/blog/turla-galaxy-opportunity - webarchive

Associated metadata

Metadata key	Value
external_id	S1075
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SOUNDBITE - S0157

SOUNDBITE is a signature backdoor used by APT32. (Citation: FireEye APT32 May 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SOUNDBITE - S0157.

Known Synonyms
SOUNDBITE

Internal MISP references

UUID 9ca488bd-9587-48ef-b923-1743523e63b2 which can be used as unique global reference for SOUNDBITE - S0157 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0157 - webarchive
• https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0157
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Pillowmint - S0517

Pillowmint is a point-of-sale malware used by FIN7 designed to capture credit card information.(Citation: Trustwave Pillowmint June 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pillowmint - S0517.

Known Synonyms
Pillowmint

Internal MISP references

UUID bd7a9e13-69fa-4243-a5e5-04326a63f9f2 which can be used as unique global reference for Pillowmint - S0517 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0517 - webarchive
• https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0517
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SEASHARPEE - S0185

SEASHARPEE is a Web shell that has been used by OilRig. (Citation: FireEye APT34 Webinar Dec 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SEASHARPEE - S0185.

Known Synonyms
SEASHARPEE

Internal MISP references

UUID 0998045d-f96e-4284-95ce-3c8219707486 which can be used as unique global reference for SEASHARPEE - S0185 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0185 - webarchive
• https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east - webarchive

Associated metadata

Metadata key	Value
external_id	S0185
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

PHOREAL - S0158

PHOREAL is a signature backdoor used by APT32. (Citation: FireEye APT32 May 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PHOREAL - S0158.

Known Synonyms
PHOREAL

Internal MISP references

UUID f6ae7a52-f3b6-4525-9daf-640c083f006e which can be used as unique global reference for PHOREAL - S0158 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0158 - webarchive
• https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0158
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

PolyglotDuke - S0518

PolyglotDuke is a downloader that has been used by APT29 since at least 2013. PolyglotDuke has been used to drop MiniDuke.(Citation: ESET Dukes October 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PolyglotDuke - S0518.

Known Synonyms
PolyglotDuke

Internal MISP references

UUID 3d57dcc4-be99-4613-9482-d5218f5ec13e which can be used as unique global reference for PolyglotDuke - S0518 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0518 - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0518
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Prestige - S1058

Prestige ransomware has been used by Sandworm Team since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.(Citation: Microsoft Prestige ransomware October 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Prestige - S1058.

Known Synonyms
Prestige

Internal MISP references

UUID 1da748a5-875d-4212-9222-b4c23ab861be which can be used as unique global reference for Prestige - S1058 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1058 - webarchive
• https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1058
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Sardonic - S1085

Sardonic is a backdoor written in C and C++ that is known to be used by FIN8, as early as August 2021 to target a financial institution in the United States. Sardonic has a plugin system that can load specially made DLLs and execute their functions.(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sardonic - S1085.

Known Synonyms
Sardonic

Internal MISP references

UUID 0c52f5bc-557d-4083-bd27-66d7cdb794bb which can be used as unique global reference for Sardonic - S1085 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1085 - webarchive
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor - webarchive
• https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S1085
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

AhRat - S1095

AhRat is an Android remote access tool based on the open-source AhMyth remote access tool. AhRat initially spread in August 2022 on the Google Play Store via an update containing malicious code to the previously benign application, “iRecorder – Screen Recorder”, which itself was released in September 2021.(Citation: welivesecurity_ahrat_0523)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AhRat - S1095.

Known Synonyms
AhRat

Internal MISP references

UUID 24c8f6db-71e0-41ef-a1dc-83399a5b17e5 which can be used as unique global reference for AhRat - S1095 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1095 - webarchive
• https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1095
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

SNUGRIDE - S0159

SNUGRIDE is a backdoor that has been used by menuPass as first stage malware. (Citation: FireEye APT10 April 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SNUGRIDE - S0159.

Known Synonyms
SNUGRIDE

Internal MISP references

UUID 3240cbe4-c550-443b-aa76-cc2a7058b870 which can be used as unique global reference for SNUGRIDE - S0159 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0159 - webarchive
• https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0159
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

metaMain - S1059

metaMain is a backdoor used by Metador to maintain long-term access to compromised machines; it has also been used to decrypt Mafalda into memory.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular metaMain - S1059.

Known Synonyms
metaMain

Internal MISP references

UUID df350889-4de9-44e5-8cb3-888b8343e97c which can be used as unique global reference for metaMain - S1059 in MISP communities and other software using the MISP galaxy

External references

• https://assets.sentinelone.com/sentinellabs22/metador#page=1 - webarchive
• https://attack.mitre.org/software/S1059 - webarchive
• https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm - webarchive

Associated metadata

Metadata key	Value
external_id	S1059
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

DEATHRANSOM - S0616

DEATHRANSOM is ransomware written in C that has been used since at least 2020, and has potential overlap with FIVEHANDS and HELLOKITTY.(Citation: FireEye FiveHands April 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DEATHRANSOM - S0616.

Known Synonyms
DEATHRANSOM

Internal MISP references

UUID 6de9cad1-eed2-4e27-b0b5-39fa29349ea0 which can be used as unique global reference for DEATHRANSOM - S0616 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0616 - webarchive
• https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0616
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

RemoteCMD - S0166

RemoteCMD is a custom tool used by APT3 to execute commands on a remote system similar to SysInternal's PSEXEC functionality. (Citation: Symantec Buckeye)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RemoteCMD - S0166.

Known Synonyms
RemoteCMD

Internal MISP references

UUID 4e6b9625-bbda-4d96-a652-b3bb45453f26 which can be used as unique global reference for RemoteCMD - S0166 in MISP communities and other software using the MISP galaxy

External references

• http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong - webarchive
• https://attack.mitre.org/software/S0166 - webarchive

Associated metadata

Metadata key	Value
external_id	S0166
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

DarkTortilla - S1066

DarkTortilla is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. DarkTortilla has been used to deliver popular information stealers, RATs, and payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.(Citation: Secureworks DarkTortilla Aug 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DarkTortilla - S1066.

Known Synonyms
DarkTortilla

Internal MISP references

UUID 5faaf81a-aa5b-4a4b-bae5-522439e068f8 which can be used as unique global reference for DarkTortilla - S1066 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1066 - webarchive
• https://www.secureworks.com/research/darktortilla-malware-analysis - webarchive

Associated metadata

Metadata key	Value
external_id	S1066
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

FoggyWeb - S0661

FoggyWeb is a passive and highly-targeted backdoor capable of remotely exfiltrating sensitive information from a compromised Active Directory Federated Services (AD FS) server. It has been used by APT29 since at least early April 2021.(Citation: MSTIC FoggyWeb September 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FoggyWeb - S0661.

Known Synonyms
FoggyWeb

Internal MISP references

UUID 72911fe3-f085-40f7-b4f2-f25a4221fe44 which can be used as unique global reference for FoggyWeb - S0661 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0661 - webarchive
• https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0661
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

QUIETCANARY - S1076

QUIETCANARY is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.(Citation: Mandiant Suspected Turla Campaign February 2023)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QUIETCANARY - S1076.

Known Synonyms
QUIETCANARY
Tunnus

Internal MISP references

UUID 93289ecf-4d15-4d6b-a9c3-4ab27e145ef4 which can be used as unique global reference for QUIETCANARY - S1076 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1076 - webarchive
• https://www.mandiant.com/resources/blog/turla-galaxy-opportunity - webarchive

Associated metadata

Metadata key	Value
external_id	S1076
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

FluBot - S1067

FluBot is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FluBot - S1067.

Known Synonyms
FluBot

Internal MISP references

UUID f5ff006c-702f-4ded-8e60-ca6c540d91bc which can be used as unique global reference for FluBot - S1067 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1067 - webarchive
• https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/ - webarchive
• https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon - webarchive

Associated metadata

Metadata key	Value
external_id	S1067
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

HELLOKITTY - S0617

HELLOKITTY is a ransomware written in C++ that shares similar code structure and functionality with DEATHRANSOM and FIVEHANDS. HELLOKITTY has been used since at least 2020, targets have included a Polish video game developer and a Brazilian electric power company.(Citation: FireEye FiveHands April 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HELLOKITTY - S0617.

Known Synonyms
HELLOKITTY

Internal MISP references

UUID 5d11d418-95dd-4377-b782-23160dfa17b4 which can be used as unique global reference for HELLOKITTY - S0617 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0617 - webarchive
• https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0617
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Matryoshka - S0167

Matryoshka is a malware framework used by CopyKittens that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Matryoshka - S0167.

Known Synonyms
Matryoshka

Internal MISP references

UUID 1cc934e4-b01d-4543-a011-b988dfc1a458 which can be used as unique global reference for Matryoshka - S0167 in MISP communities and other software using the MISP galaxy

External references

• http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf - webarchive
• https://attack.mitre.org/software/S0167 - webarchive
• https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0167
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Tomiris - S0671

Tomiris is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between Tomiris and GoldMax.(Citation: Kaspersky Tomiris Sep 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tomiris - S0671.

Known Synonyms
Tomiris

Internal MISP references

UUID 327b3a25-9e60-4431-b3b6-93b9c64eacbc which can be used as unique global reference for Tomiris - S0671 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0671 - webarchive
• https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0671

Related clusters

To see the related clusters, click here.

Wingbird - S0176

Wingbird is a backdoor that appears to be a version of commercial software FinFisher. It is reportedly used to attack individual computers instead of networks. It was used by NEODYMIUM in a May 2016 campaign. (Citation: Microsoft SIR Vol 21) (Citation: Microsoft NEODYMIUM Dec 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Wingbird - S0176.

Known Synonyms
Wingbird

Internal MISP references

UUID a8d3d497-2da9-4797-8e0b-ed176be08654 which can be used as unique global reference for Wingbird - S0176 in MISP communities and other software using the MISP galaxy

External references

• http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf - webarchive
• https://attack.mitre.org/software/S0176 - webarchive
• https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/ - webarchive
• https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Wingbird.A!dha - webarchive

Associated metadata

Metadata key	Value
external_id	S0176
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

FIVEHANDS - S0618

FIVEHANDS is a customized version of DEATHRANSOM ransomware written in C++. FIVEHANDS has been used since at least 2021, including in Ransomware-as-a-Service (RaaS) campaigns, sometimes along with SombRAT.(Citation: FireEye FiveHands April 2021)(Citation: NCC Group Fivehands June 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIVEHANDS - S0618.

Known Synonyms
FIVEHANDS

Internal MISP references

UUID f464354c-7103-47c6-969b-8766f0157ed2 which can be used as unique global reference for FIVEHANDS - S0618 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0618 - webarchive
• https://research.nccgroup.com/2021/06/15/handy-guide-to-a-new-fivehands-ransomware-variant/ - webarchive
• https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0618
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BlackCat - S1068

BlackCat is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, BlackCat has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.(Citation: Microsoft BlackCat Jun 2022)(Citation: Sophos BlackCat Jul 2022)(Citation: ACSC BlackCat Apr 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BlackCat - S1068.

Known Synonyms
ALPHV
BlackCat
Noberus

Internal MISP references

UUID 50c44c34-3abb-48ae-9433-a2337de5b0bc which can be used as unique global reference for BlackCat - S1068 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1068 - webarchive
• https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/ - webarchive
• https://www.cyber.gov.au/about-us/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat - webarchive
• https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1068
mitre_platforms	['Linux', 'Windows']

Related clusters

To see the related clusters, click here.

DownPaper - S0186

DownPaper is a backdoor Trojan; its main functionality is to download and run second stage malware. (Citation: ClearSky Charming Kitten Dec 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DownPaper - S0186.

Known Synonyms
DownPaper

Internal MISP references

UUID e48df773-7c95-4a4c-ba70-ea3d15900148 which can be used as unique global reference for DownPaper - S0186 in MISP communities and other software using the MISP galaxy

External references

• http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf - webarchive
• https://attack.mitre.org/software/S0186 - webarchive

Associated metadata

Metadata key	Value
external_id	S0186
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Gazer - S0168

Gazer is a backdoor used by Turla since at least 2016. (Citation: ESET Gazer Aug 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gazer - S0168.

Known Synonyms
Gazer
WhiteBear

Internal MISP references

UUID 76abb3ef-dafd-4762-97cb-a35379429db4 which can be used as unique global reference for Gazer - S0168 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0168 - webarchive
• https://securelist.com/introducing-whitebear/81638/ - webarchive
• https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/ - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0168
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Lizar - S0681

Lizar is a modular remote access tool written using the .NET Framework that shares structural similarities to Carbanak. It has likely been used by FIN7 since at least February 2021.(Citation: BiZone Lizar May 2021)(Citation: Threatpost Lizar May 2021)(Citation: Gemini FIN7 Oct 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lizar - S0681.

Known Synonyms
Lizar
Tirion

Internal MISP references

UUID f74a5069-015d-4404-83ad-5ca01056c0dc which can be used as unique global reference for Lizar - S0681 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0681 - webarchive
• https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319 - webarchive
• https://geminiadvisory.io/fin7-ransomware-bastion-secure/ - webarchive
• https://threatpost.com/fin7-backdoor-ethical-hacking-tool/166194/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0681
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

PUNCHBUGGY - S0196

PUNCHBUGGY is a backdoor malware used by FIN8 that has been observed targeting POS networks in the hospitality industry. (Citation: Morphisec ShellTea June 2019)(Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PUNCHBUGGY - S0196.

Known Synonyms
PUNCHBUGGY
ShellTea

Internal MISP references

UUID 5c6ed2dc-37f4-40ea-b2e1-4c76140a388c which can be used as unique global reference for PUNCHBUGGY - S0196 in MISP communities and other software using the MISP galaxy

External references

• http://blog.morphisec.com/security-alert-fin8-is-back - webarchive
• https://attack.mitre.org/software/S0196 - webarchive
• https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html - webarchive
• https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0196
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

TangleBot - S1069

TangleBot is SMS malware that was initially observed in September 2021, primarily targeting mobile users in the United States and Canada. TangleBot has used SMS text message lures about COVID-19 regulations and vaccines to trick mobile users into downloading the malware, similar to FluBot Android malware campaigns.(Citation: cloudmark_tanglebot_0921)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TangleBot - S1069.

Known Synonyms
TangleBot

Internal MISP references

UUID 68156e5a-4c3a-46dd-9c5e-c0bfdec6651f which can be used as unique global reference for TangleBot - S1069 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1069 - webarchive
• https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19 - webarchive

Associated metadata

Metadata key	Value
external_id	S1069
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Cheerscrypt - S1096

Cheerscrypt is a ransomware that was developed by Cinnamon Tempest and has been used in attacks against ESXi and Windows environments since at least 2022. Cheerscrypt was derived from the leaked Babuk source code and has infrastructure overlaps with deployments of Night Sky ransomware, which was also derived from Babuk.(Citation: Sygnia Emperor Dragonfly October 2022)(Citation: Trend Micro Cheerscrypt May 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cheerscrypt - S1096.

Known Synonyms
Cheerscrypt

Internal MISP references

UUID 5d3fa1db-5041-4560-b87b-8f61cc225c52 which can be used as unique global reference for Cheerscrypt - S1096 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1096 - webarchive
• https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group - webarchive
• https://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html - webarchive

Associated metadata

Metadata key	Value
external_id	S1096
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Neoichor - S0691

Neoichor is C2 malware used by Ke3chang since at least 2019; similar malware families used by the group include Leeson and Numbldea.(Citation: Microsoft NICKEL December 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Neoichor - S0691.

Known Synonyms
Neoichor

Internal MISP references

UUID 4d7bf2ac-f953-4907-b114-be44dc174d67 which can be used as unique global reference for Neoichor - S0691 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0691 - webarchive
• https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe - webarchive

Associated metadata

Metadata key	Value
external_id	S0691
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

RawPOS - S0169

RawPOS is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008. (Citation: Kroll RawPOS Jan 2017) (Citation: TrendMicro RawPOS April 2015) (Citation: Visa RawPOS March 2015) FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD. (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RawPOS - S0169.

Known Synonyms
DRIFTWOOD
DUEBREW
FIENDCRY
RawPOS

Internal MISP references

UUID 9752aef4-a1f3-4328-929f-b64eb0536090 which can be used as unique global reference for RawPOS - S0169 in MISP communities and other software using the MISP galaxy

External references

• http://sjc1-te-ftp.trendmicro.com/images/tex/pdf/RawPOS%20Technical%20Brief.pdf - webarchive
• https://attack.mitre.org/software/S0169 - webarchive
• https://github.com/DiabloHorn/mempdump - webarchive
• https://usa.visa.com/dam/VCOM/download/merchants/alert-rawpos.pdf - webarchive
• https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645? - webarchive
• https://www.kroll.com/en/insights/publications/malware-analysis-report-rawpos-malware - webarchive
• https://www.youtube.com/watch?v=fevGZs0EQu8 - webarchive

Associated metadata

Metadata key	Value
external_id	S0169
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Hornbill - S1077

Hornbill is one of two mobile malware families known to be used by the APT Confucius. Analysis suggests that Hornbill was first active in early 2018. While Hornbill and Sunbird overlap in core capabilities, Hornbill has tools and behaviors suggesting more passive reconnaissance.(Citation: lookout_hornbill_sunbird_0221)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hornbill - S1077.

Known Synonyms
Hornbill

Internal MISP references

UUID 15d78a95-af6a-4b06-8dae-76bedb0ec5a1 which can be used as unique global reference for Hornbill - S1077 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1077 - webarchive
• https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict - webarchive

Associated metadata

Metadata key	Value
external_id	S1077
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Daserf - S0187

Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. (Citation: Trend Micro Daserf Nov 2017) (Citation: Secureworks BRONZE BUTLER Oct 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Daserf - S0187.

Known Synonyms
Daserf
Muirim
Nioupale

Internal MISP references

UUID b6b3dfc7-9a81-43ff-ac04-698bad48973a which can be used as unique global reference for Daserf - S0187 in MISP communities and other software using the MISP galaxy

External references

• http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/ - webarchive
• https://attack.mitre.org/software/S0187 - webarchive
• https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses - webarchive

Associated metadata

Metadata key	Value
external_id	S0187
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

RotaJakiro - S1078

RotaJakiro is a 64-bit Linux backdoor used by APT32. First seen in 2018, it uses a plugin architecture to extend capabilities. RotaJakiro can determine it's permission level and execute according to access type (root or user).(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: netlab360 rotajakiro vs oceanlotus)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RotaJakiro - S1078.

Known Synonyms
RotaJakiro

Internal MISP references

UUID 08e844a8-371f-4fe3-9d1f-e056e64a7fde which can be used as unique global reference for RotaJakiro - S1078 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1078 - webarchive
• https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/ - webarchive
• https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1078
mitre_platforms	['Linux']

Related clusters

To see the related clusters, click here.

Truvasys - S0178

Truvasys is first-stage malware that has been used by PROMETHIUM. It is a collection of modules written in the Delphi programming language. (Citation: Microsoft Win Defender Truvasys Sep 2017) (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Truvasys - S0178.

Known Synonyms
Truvasys

Internal MISP references

UUID 691c60e2-273d-4d56-9ce6-b67e0f8719ad which can be used as unique global reference for Truvasys - S0178 in MISP communities and other software using the MISP galaxy

External references

• http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf - webarchive
• https://attack.mitre.org/software/S0178 - webarchive
• https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/ - webarchive
• https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Truvasys.A!dha - webarchive

Associated metadata

Metadata key	Value
external_id	S0178
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

PUNCHTRACK - S0197

PUNCHTRACK is non-persistent point of sale (POS) system malware utilized by FIN8 to scrape payment card data. (Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PUNCHTRACK - S0197.

Known Synonyms
PSVC
PUNCHTRACK

Internal MISP references

UUID c4de7d83-e875-4c88-8b5d-06c41e5b7e79 which can be used as unique global reference for PUNCHTRACK - S0197 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0197 - webarchive
• https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html - webarchive
• https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0197
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BOULDSPY - S1079

BOULDSPY is an Android malware, detected in early 2023, with surveillance and remote-control capabilities. Analysis of exfiltrated C2 data suggests that BOULDSPY primarily targeted minority groups in Iran.(Citation: lookout_bouldspy_0423)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BOULDSPY - S1079.

Known Synonyms
BOULDSPY

Internal MISP references

UUID a2ee7d2d-fb45-44f3-8f67-9921c7810db1 which can be used as unique global reference for BOULDSPY - S1079 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1079 - webarchive
• https://www.lookout.com/blog/iranian-spyware-bouldspy - webarchive

Associated metadata

Metadata key	Value
external_id	S1079
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Disco - S1088

Disco is a custom implant that has been used by MoustachedBouncer since at least 2020 including in campaigns using targeted malicious content injection for initial access and command and control.(Citation: MoustachedBouncer ESET August 2023)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Disco - S1088.

Known Synonyms
Disco

Internal MISP references

UUID e1445afd-c359-45ed-8f27-626dc4d5e157 which can be used as unique global reference for Disco - S1088 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1088 - webarchive
• https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1088
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Starloader - S0188

Starloader is a loader component that has been observed loading Felismus and associated tools. (Citation: Symantec Sowbug Nov 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Starloader - S0188.

Known Synonyms
Starloader

Internal MISP references

UUID 96566860-9f11-4b6f-964d-1c924e4f24a4 which can be used as unique global reference for Starloader - S0188 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0188 - webarchive
• https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments - webarchive

Associated metadata

Metadata key	Value
external_id	S0188
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SharpDisco - S1089

SharpDisco is a dropper developed in C# that has been used by MoustachedBouncer since at least 2020 to load malicious plugins.(Citation: MoustachedBouncer ESET August 2023)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SharpDisco - S1089.

Known Synonyms
SharpDisco

Internal MISP references

UUID 1fefb062-feda-484a-8f10-0cebf65e20e3 which can be used as unique global reference for SharpDisco - S1089 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1089 - webarchive
• https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1089
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

NETWIRE - S0198

NETWIRE is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.(Citation: FireEye APT33 Sept 2017)(Citation: McAfee Netwire Mar 2015)(Citation: FireEye APT33 Webinar Sept 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NETWIRE - S0198.

Known Synonyms
NETWIRE

Internal MISP references

UUID 2a70812b-f1ef-44db-8578-a496a227aef2 which can be used as unique global reference for NETWIRE - S0198 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0198 - webarchive
• https://securingtomorrow.mcafee.com/mcafee-labs/netwire-rat-behind-recent-targeted-attacks/ - webarchive
• https://www.brighttalk.com/webcast/10703/275683 - webarchive
• https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0198
mitre_platforms	['Windows', 'Linux', 'macOS']

Related clusters

To see the related clusters, click here.

ISMInjector - S0189

ISMInjector is a Trojan used to install another OilRig backdoor, ISMAgent. (Citation: OilRig New Delivery Oct 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ISMInjector - S0189.

Known Synonyms
ISMInjector

Internal MISP references

UUID 5be33fef-39c0-4532-84ee-bea31e1b5324 which can be used as unique global reference for ISMInjector - S0189 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0189 - webarchive
• https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0189
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

TURNEDUP - S0199

TURNEDUP is a non-public backdoor. It has been dropped by APT33's StoneDrill malware. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TURNEDUP - S0199.

Known Synonyms
TURNEDUP

Internal MISP references

UUID db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c which can be used as unique global reference for TURNEDUP - S0199 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0199 - webarchive
• https://www.brighttalk.com/webcast/10703/275683 - webarchive
• https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0199
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Samurai - S1099

Samurai is a passive backdoor that has been used by ToddyCat since at least 2020. Samurai allows arbitrary C# code execution and is used with multiple modules for remote administration and lateral movement.(Citation: Kaspersky ToddyCat June 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Samurai - S1099.

Known Synonyms
Samurai

Internal MISP references

UUID ae91fb8f-5031-4f57-9839-e3be3ed503f0 which can be used as unique global reference for Samurai - S1099 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1099 - webarchive
• https://securelist.com/toddycat/106799/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1099
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

CCBkdr - S0222

CCBkdr is malware that was injected into a signed version of CCleaner and distributed from CCleaner's distribution website. (Citation: Talos CCleanup 2017) (Citation: Intezer Aurora Sept 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CCBkdr - S0222.

Known Synonyms
CCBkdr

Internal MISP references

UUID b0f13390-cec7-4814-b37c-ccec01887faa which can be used as unique global reference for CCBkdr - S0222 in MISP communities and other software using the MISP galaxy

External references

• http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html - webarchive
• http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/ - webarchive
• https://attack.mitre.org/software/S0222 - webarchive

Associated metadata

Metadata key	Value
external_id	S0222
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

POWERSTATS - S0223

POWERSTATS is a PowerShell-based first stage backdoor used by MuddyWater. (Citation: Unit 42 MuddyWater Nov 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular POWERSTATS - S0223.

Known Synonyms
POWERSTATS
Powermud

Internal MISP references

UUID e8545794-b98c-492b-a5b3-4b5a02682e37 which can be used as unique global reference for POWERSTATS - S0223 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0223 - webarchive
• https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/ - webarchive
• https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf - webarchive
• https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group - webarchive

Associated metadata

Metadata key	Value
external_id	S0223
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

HummingBad - S0322

HummingBad is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android. (Citation: ArsTechnica-HummingBad)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HummingBad - S0322.

Known Synonyms
HummingBad

Internal MISP references

UUID c8770c81-c29f-40d2-a140-38544206b2b4 which can be used as unique global reference for HummingBad - S0322 in MISP communities and other software using the MISP galaxy

External references

• http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/ - webarchive
• https://attack.mitre.org/software/S0322 - webarchive

Associated metadata

Metadata key	Value
external_id	S0322

Related clusters

To see the related clusters, click here.

HOMEFRY - S0232

HOMEFRY is a 64-bit Windows password dumper/cracker that has previously been used in conjunction with other Leviathan backdoors. (Citation: FireEye Periscope March 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HOMEFRY - S0232.

Known Synonyms
HOMEFRY

Internal MISP references

UUID 7451bcf9-e6e6-4a70-bc3d-1599173d0035 which can be used as unique global reference for HOMEFRY - S0232 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0232 - webarchive
• https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0232
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SynAck - S0242

SynAck is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. (Citation: SecureList SynAck Doppelgänging May 2018) (Citation: Kaspersky Lab SynAck May 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SynAck - S0242.

Known Synonyms
SynAck

Internal MISP references

UUID 04227b24-7817-4de1-9050-b7b1b57f5866 which can be used as unique global reference for SynAck - S0242 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0242 - webarchive
• https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/ - webarchive
• https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging - webarchive

Associated metadata

Metadata key	Value
external_id	S0242
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Anubis - S0422

Anubis is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.(Citation: Cofense Anubis)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Anubis - S0422.

Known Synonyms
Anubis

Internal MISP references

UUID a3c59d82-2c7c-44e5-a869-68e0a3e5935e which can be used as unique global reference for Anubis - S0422 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0422 - webarchive
• https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0422
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Exobot - S0522

Exobot is Android banking malware, primarily targeting financial institutions in Germany, Austria, and France.(Citation: Threat Fabric Exobot)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Exobot - S0522.

Known Synonyms
Exobot
Marcher

Internal MISP references

UUID c91cec55-634c-4670-ba10-2dc7ceb28e98 which can be used as unique global reference for Exobot - S0522 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0522 - webarchive
• https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks - webarchive
• https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0522
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

AppleSeed - S0622

AppleSeed is a backdoor that has been used by Kimsuky to target South Korean government, academic, and commercial targets since at least 2021.(Citation: Malwarebytes Kimsuky June 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AppleSeed - S0622.

Known Synonyms
AppleSeed

Internal MISP references

UUID 295721d2-ee20-4fa3-ade3-37f4146b4570 which can be used as unique global reference for AppleSeed - S0622 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0622 - webarchive
• https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0622
mitre_platforms	['Windows', 'Android']

Related clusters

To see the related clusters, click here.

NDiskMonitor - S0272

NDiskMonitor is a custom backdoor written in .NET that appears to be unique to Patchwork. (Citation: TrendMicro Patchwork Dec 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NDiskMonitor - S0272.

Known Synonyms
NDiskMonitor

Internal MISP references

UUID d1183cb9-258e-4f2f-8415-50ac8252c49e which can be used as unique global reference for NDiskMonitor - S0272 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0272 - webarchive
• https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0272
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

NanHaiShu - S0228

NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to target government and private-sector organizations that have relations to the South China Sea dispute. (Citation: Proofpoint Leviathan Oct 2017) (Citation: fsecure NanHaiShu July 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NanHaiShu - S0228.

Known Synonyms
NanHaiShu

Internal MISP references

UUID 705f0783-5f7d-4491-b6b7-9628e6e006d2 which can be used as unique global reference for NanHaiShu - S0228 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0228 - webarchive
• https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf - webarchive
• https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets - webarchive

Associated metadata

Metadata key	Value
external_id	S0228
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

MacSpy - S0282

MacSpy is a malware-as-a-service offered on the darkweb (Citation: objsee mac malware 2017).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MacSpy - S0282.

Known Synonyms
MacSpy

Internal MISP references

UUID f72251cb-2be5-421f-a081-99c29a1209e7 which can be used as unique global reference for MacSpy - S0282 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0282 - webarchive
• https://objective-see.com/blog/blog_0x25.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0282
mitre_platforms	['macOS']

Related clusters

To see the related clusters, click here.

AndroRAT - S0292

AndroRAT is an open-source remote access tool for Android devices. AndroRAT is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as sending SMS messages and taking pictures.(Citation: Lookout-EnterpriseApps)(Citation: github_androrat)(Citation: Forcepoint BITTER Pakistan Oct 2016) It is originally available through the The404Hacking Github repository.(Citation: github_androrat)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AndroRAT - S0292.

Known Synonyms
AndroRAT

Internal MISP references

UUID a3dad2be-ce62-4440-953b-00fbce7aba93 which can be used as unique global reference for AndroRAT - S0292 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0292 - webarchive
• https://blog.lookout.com/blog/2016/05/25/spoofed-apps/ - webarchive
• https://web.archive.org/web/20221013124327/https://github.com/The404Hacking/AndroRAT - webarchive
• https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan - webarchive

Associated metadata

Metadata key	Value
external_id	S0292
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Orz - S0229

Orz is a custom JavaScript backdoor used by Leviathan. It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. (Citation: Proofpoint Leviathan Oct 2017) (Citation: FireEye Periscope March 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Orz - S0229.

Known Synonyms
AIRBREAK
Orz

Internal MISP references

UUID 06d735e7-1db1-4dbe-ab4b-acbe419f902b which can be used as unique global reference for Orz - S0229 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0229 - webarchive
• https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html - webarchive
• https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets - webarchive

Associated metadata

Metadata key	Value
external_id	S0229
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Charger - S0323

Charger is Android malware that steals steals contacts and SMS messages from the user's device. It can also lock the device and demand ransom payment if it receives admin permissions. (Citation: CheckPoint-Charger)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Charger - S0323.

Known Synonyms
Charger

Internal MISP references

UUID d1c600f8-0fb6-4367-921b-85b71947d950 which can be used as unique global reference for Charger - S0323 in MISP communities and other software using the MISP galaxy

External references

• http://blog.checkpoint.com/2017/01/24/charger-malware/ - webarchive
• https://attack.mitre.org/software/S0323 - webarchive

Associated metadata

Metadata key	Value
external_id	S0323
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

MURKYTOP - S0233

MURKYTOP is a reconnaissance tool used by Leviathan. (Citation: FireEye Periscope March 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MURKYTOP - S0233.

Known Synonyms
MURKYTOP

Internal MISP references

UUID 049ff071-0b3c-4712-95d2-d21c6aa54501 which can be used as unique global reference for MURKYTOP - S0233 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0233 - webarchive
• https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0233
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Bread - S0432

Bread was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store’s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.(Citation: Google Bread)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bread - S0432.

Known Synonyms
Bread
Joker

Internal MISP references

UUID 108b2817-bc01-404e-8e1b-8cdeec846326 which can be used as unique global reference for Bread - S0432 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0432 - webarchive
• https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0432
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Bandook - S0234

Bandook is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. Bandook has been used by Dark Caracal, as well as in a separate campaign referred to as "Operation Manul".(Citation: EFF Manul Aug 2016)(Citation: Lookout Dark Caracal Jan 2018)(Citation: CheckPoint Bandook Nov 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bandook - S0234.

Known Synonyms
Bandook

Internal MISP references

UUID 835a79f1-842d-472d-b8f4-d54b545c341b which can be used as unique global reference for Bandook - S0234 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0234 - webarchive
• https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf - webarchive
• https://research.checkpoint.com/2020/bandook-signed-delivered/ - webarchive
• https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0234
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

DealersChoice - S0243

DealersChoice is a Flash exploitation framework used by APT28. (Citation: Sofacy DealersChoice)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DealersChoice - S0243.

Known Synonyms
DealersChoice

Internal MISP references

UUID 8f460983-1bbb-4e7e-8094-f0b5e720f658 which can be used as unique global reference for DealersChoice - S0243 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0243 - webarchive
• https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0243
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SpyDealer - S0324

SpyDealer is Android malware that exfiltrates sensitive data from Android devices. (Citation: PaloAlto-SpyDealer)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SpyDealer - S0324.

Known Synonyms
SpyDealer

Internal MISP references

UUID 86fc6f0c-86d9-473e-89f3-f50f3cb9319b which can be used as unique global reference for SpyDealer - S0324 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0324 - webarchive
• https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0324
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

GreyEnergy - S0342

GreyEnergy is a backdoor written in C and compiled in Visual Studio. GreyEnergy shares similarities with the BlackEnergy malware and is thought to be the successor of it.(Citation: ESET GreyEnergy Oct 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GreyEnergy - S0342.

Known Synonyms
GreyEnergy

Internal MISP references

UUID 308b3d68-a084-4dfb-885a-3125e1a9c1e8 which can be used as unique global reference for GreyEnergy - S0342 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0342 - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0342
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Ginp - S0423

Ginp is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from Anubis.(Citation: ThreatFabric Ginp)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ginp - S0423.

Known Synonyms
Ginp

Internal MISP references

UUID 6146be90-470c-4049-bb3a-9986b8ffb65b which can be used as unique global reference for Ginp - S0423 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0423 - webarchive
• https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0423
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

CrossRAT - S0235

CrossRAT is a cross platform RAT.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CrossRAT - S0235.

Known Synonyms
CrossRAT

Internal MISP references

UUID a5e91d50-24fa-44ec-9894-39a88f658cea which can be used as unique global reference for CrossRAT - S0235 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0235 - webarchive
• https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0235
mitre_platforms	['Linux', 'Windows', 'macOS']

Related clusters

To see the related clusters, click here.

RunningRAT - S0253

RunningRAT is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Winter Olympics along with Gold Dragon and Brave Prince. (Citation: McAfee Gold Dragon)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RunningRAT - S0253.

Known Synonyms
RunningRAT

Internal MISP references

UUID 60d50676-459a-47dd-92e9-a827a9fe9c58 which can be used as unique global reference for RunningRAT - S0253 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0253 - webarchive
• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0253
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Judy - S0325

Judy is auto-clicking adware that was distributed through multiple apps in the Google Play Store. (Citation: CheckPoint-Judy)

Internal MISP references

UUID 172444ab-97fc-4d94-b142-179452bfb760 which can be used as unique global reference for Judy - S0325 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0325 - webarchive
• https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0325

Related clusters

To see the related clusters, click here.

Lucifer - S0532

Lucifer is a crypto miner and DDoS hybrid malware that leverages well-known exploits to spread laterally on Windows platforms.(Citation: Unit 42 Lucifer June 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lucifer - S0532.

Known Synonyms
Lucifer

Internal MISP references

UUID 54a73038-1937-4d71-a253-316e76d5413c which can be used as unique global reference for Lucifer - S0532 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0532 - webarchive
• https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0532
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

TYPEFRAME - S0263

TYPEFRAME is a remote access tool that has been used by Lazarus Group. (Citation: US-CERT TYPEFRAME June 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TYPEFRAME - S0263.

Known Synonyms
TYPEFRAME

Internal MISP references

UUID 7ba0fc46-197d-466d-8b9f-f1c64d5d81e5 which can be used as unique global reference for TYPEFRAME - S0263 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0263 - webarchive
• https://www.us-cert.gov/ncas/analysis-reports/AR18-165A - webarchive

Associated metadata

Metadata key	Value
external_id	S0263
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

GrimAgent - S0632

GrimAgent is a backdoor that has been used before the deployment of Ryuk ransomware since at least 2020; it is likely used by FIN6 and Wizard Spider.(Citation: Group IB GrimAgent July 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GrimAgent - S0632.

Known Synonyms
GrimAgent

Internal MISP references

UUID c9b99d03-ff11-4a48-95f0-82660d582c25 which can be used as unique global reference for GrimAgent - S0632 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0632 - webarchive
• https://gibnc.group-ib.com/s/Group-IB_GrimAgent_analysis#pdfviewer - webarchive

Associated metadata

Metadata key	Value
external_id	S0632
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

RedDrop - S0326

RedDrop is an Android malware family that exfiltrates sensitive data from devices. (Citation: Wandera-RedDrop)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RedDrop - S0326.

Known Synonyms
RedDrop

Internal MISP references

UUID 9ed10b5a-ff20-467f-bf2f-d3fbf763e381 which can be used as unique global reference for RedDrop - S0326 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0326 - webarchive
• https://www.wandera.com/reddrop-malware/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0326
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Kwampirs - S0236

Kwampirs is a backdoor Trojan used by Orangeworm. Kwampirs has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines.(Citation: Symantec Orangeworm April 2018) Kwampirs has multiple technical overlaps with Shamoon based on reverse engineering analysis.(Citation: Cylera Kwampirs 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kwampirs - S0236.

Known Synonyms
Kwampirs

Internal MISP references

UUID c2417bab-3189-4d4d-9d60-96de2cdaf0ab which can be used as unique global reference for Kwampirs - S0236 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0236 - webarchive
• https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf - webarchive
• https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia - webarchive

Associated metadata

Metadata key	Value
external_id	S0236
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Siloscape - S0623

Siloscape is malware that targets Kubernetes clusters through Windows containers. Siloscape was first observed in March 2021.(Citation: Unit 42 Siloscape Jun 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Siloscape - S0623.

Known Synonyms
Siloscape

Internal MISP references

UUID 4fbd565b-bf55-4ac7-80b4-b183a7b64b9c which can be used as unique global reference for Siloscape - S0623 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0623 - webarchive
• https://unit42.paloaltonetworks.com/siloscape/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0623
mitre_platforms	['Windows', 'Containers']

Related clusters

To see the related clusters, click here.

GravityRAT - S0237

GravityRAT is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are "TheMartian" and "The Invincible." According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India. (Citation: Talos GravityRAT)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GravityRAT - S0237.

Known Synonyms
GravityRAT

Internal MISP references

UUID 1d1fce2f-0db5-402b-9843-4278a0694637 which can be used as unique global reference for GravityRAT - S0237 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0237 - webarchive
• https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0237
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

LockerGoga - S0372

LockerGoga is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LockerGoga - S0372.

Known Synonyms
LockerGoga

Internal MISP references

UUID 5af7a825-2d9f-400d-931a-e00eb9e27f48 which can be used as unique global reference for LockerGoga - S0372 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0372 - webarchive
• https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/ - webarchive
• https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0372
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Socksbot - S0273

Socksbot is a backdoor that abuses Socket Secure (SOCKS) proxies. (Citation: TrendMicro Patchwork Dec 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Socksbot - S0273.

Known Synonyms
Socksbot

Internal MISP references

UUID e494ad79-37ee-4cd0-866b-299c521d8b94 which can be used as unique global reference for Socksbot - S0273 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0273 - webarchive
• https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0273
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Skygofree - S0327

Skygofree is Android spyware that is believed to have been developed in 2014 and used through at least 2017. (Citation: Kaspersky-Skygofree)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Skygofree - S0327.

Known Synonyms
Skygofree

Internal MISP references

UUID 3a913bac-4fae-4d0e-bca8-cae452f1599b which can be used as unique global reference for Skygofree - S0327 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0327 - webarchive
• https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0327
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

jRAT - S0283

jRAT is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of jRAT have been distributed via a software-as-a-service platform, similar to an online subscription model.(Citation: Kaspersky Adwind Feb 2016) (Citation: jRAT Symantec Aug 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular jRAT - S0283.

Known Synonyms
Adwind
AlienSpy
Frutas
JSocket
Sockrat
Trojan.Maljava
Unrecom
jBiFrost
jFrutas
jRAT

Internal MISP references

UUID efece7e8-e40b-49c2-9f84-c55c5c93d05c which can be used as unique global reference for jRAT - S0283 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0283 - webarchive
• https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf - webarchive
• https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools - webarchive
• https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques - webarchive

Associated metadata

Metadata key	Value
external_id	S0283
mitre_platforms	['Linux', 'Windows', 'macOS', 'Android']

Related clusters

To see the related clusters, click here.

ServHelper - S0382

ServHelper is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.(Citation: Proofpoint TA505 Jan 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ServHelper - S0382.

Known Synonyms
ServHelper

Internal MISP references

UUID aae22730-e571-4d17-b037-65f2a3e26213 which can be used as unique global reference for ServHelper - S0382 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0382 - webarchive
• https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505 - webarchive

Associated metadata

Metadata key	Value
external_id	S0382
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Proxysvc - S0238

Proxysvc is a malicious DLL used by Lazarus Group in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of Proxysvc is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. (Citation: McAfee GhostSecret)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Proxysvc - S0238.

Known Synonyms
Proxysvc

Internal MISP references

UUID 069af411-9b24-4e85-b26c-623d035bbe84 which can be used as unique global reference for Proxysvc - S0238 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0238 - webarchive
• https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0238
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BrainTest - S0293

BrainTest is a family of Android malware. (Citation: CheckPoint-BrainTest) (Citation: Lookout-BrainTest)

Internal MISP references

UUID e13d084c-382f-40fd-aa9a-98d69e20301e which can be used as unique global reference for BrainTest - S0293 in MISP communities and other software using the MISP galaxy

External references

• http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/ - webarchive
• https://attack.mitre.org/software/S0293 - webarchive
• https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0293

Related clusters

To see the related clusters, click here.

Bankshot - S0239

Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector. (Citation: McAfee Bankshot)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bankshot - S0239.

Known Synonyms
Bankshot
Trojan Manuscript

Internal MISP references

UUID 1f6e3702-7ca1-4582-b2e7-4591297d05a8 which can be used as unique global reference for Bankshot - S0239 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0239 - webarchive
• https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0239
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Tangelo - S0329

Tangelo is iOS malware that is believed to be from the same developers as the Stealth Mango Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices. (Citation: Lookout-StealthMango)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tangelo - S0329.

Known Synonyms
Tangelo

Internal MISP references

UUID 35aae10a-97c5-471a-9c67-02c231a7a31a which can be used as unique global reference for Tangelo - S0329 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0329 - webarchive
• https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0329
mitre_platforms	['iOS']

Related clusters

To see the related clusters, click here.

VBShower - S0442

VBShower is a backdoor that has been used by Inception since at least 2019. VBShower has been used as a downloader for second stage payloads, including PowerShower.(Citation: Kaspersky Cloud Atlas August 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular VBShower - S0442.

Known Synonyms
VBShower

Internal MISP references

UUID 8caa18af-4758-4fd3-9600-e8af579e89ed which can be used as unique global reference for VBShower - S0442 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0442 - webarchive
• https://securelist.com/recent-cloud-atlas-activity/92016/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0442
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Comnie - S0244

Comnie is a remote backdoor which has been used in attacks in East Asia. (Citation: Palo Alto Comnie)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Comnie - S0244.

Known Synonyms
Comnie

Internal MISP references

UUID f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e which can be used as unique global reference for Comnie - S0244 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0244 - webarchive
• https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0244
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Triada - S0424

Triada was first reported in 2016 as a second stage malware. Later versions in 2019 appeared with new techniques and as an initial downloader of other Trojan apps.(Citation: Kaspersky Triada March 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Triada - S0424.

Known Synonyms
Triada

Internal MISP references

UUID f082fc59-0317-49cf-971f-a1b6296ebb52 which can be used as unique global reference for Triada - S0424 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0424 - webarchive
• https://www.kaspersky.com/blog/triada-trojan/11481/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0424
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

BADCALL - S0245

BADCALL is a Trojan malware variant used by the group Lazarus Group. (Citation: US-CERT BADCALL)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BADCALL - S0245.

Known Synonyms
BADCALL

Internal MISP references

UUID 9dbdadb6-fdbf-490f-a35f-38762d06a0d2 which can be used as unique global reference for BADCALL - S0245 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0245 - webarchive
• https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF - webarchive

Associated metadata

Metadata key	Value
external_id	S0245
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

PLAINTEE - S0254

PLAINTEE is a malware sample that has been used by Rancor in targeted attacks in Singapore and Cambodia. (Citation: Rancor Unit42 June 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PLAINTEE - S0254.

Known Synonyms
PLAINTEE

Internal MISP references

UUID 21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b which can be used as unique global reference for PLAINTEE - S0254 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0254 - webarchive
• https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0254
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

USBferry - S0452

USBferry is an information stealing malware and has been used by Tropic Trooper in targeted attacks against Taiwanese and Philippine air-gapped military environments. USBferry shares an overlapping codebase with YAHOYAH, though it has several features which makes it a distinct piece of malware.(Citation: TrendMicro Tropic Trooper May 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular USBferry - S0452.

Known Synonyms
USBferry

Internal MISP references

UUID 75bba379-4ba1-467e-8c60-ec2b269ee984 which can be used as unique global reference for USBferry - S0452 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0452 - webarchive
• https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0452
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

CARROTBAT - S0462

CARROTBAT is a customized dropper that has been in use since at least 2017. CARROTBAT has been used to install SYSCON and has infrastructure overlap with KONNI.(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CARROTBAT - S0462.

Known Synonyms
CARROTBAT

Internal MISP references

UUID 1b9f0800-035e-4ed1-9648-b18294cc5bc8 which can be used as unique global reference for CARROTBAT - S0462 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0462 - webarchive
• https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/ - webarchive
• https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0462
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

HARDRAIN - S0246

HARDRAIN is a Trojan malware variant reportedly used by the North Korean government. (Citation: US-CERT HARDRAIN March 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HARDRAIN - S0246.

Known Synonyms
HARDRAIN

Internal MISP references

UUID bd0536d7-b081-43ae-a773-cfb057c5b988 which can be used as unique global reference for HARDRAIN - S0246 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0246 - webarchive
• https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0246
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BADFLICK - S0642

BADFLICK is a backdoor used by Leviathan in spearphishing campaigns first reported in 2018 that targeted the U.S. engineering and maritime industries.(Citation: FireEye Periscope March 2018)(Citation: Accenture MUDCARP March 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BADFLICK - S0642.

Known Synonyms
BADFLICK

Internal MISP references

UUID 57d83eac-a2ea-42b0-a7b2-c80c55157790 which can be used as unique global reference for BADFLICK - S0642 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0642 - webarchive
• https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies - webarchive
• https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0642
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

OopsIE - S0264

OopsIE is a Trojan used by OilRig to remotely execute commands as well as upload/download files to/from victims. (Citation: Unit 42 OopsIE! Feb 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OopsIE - S0264.

Known Synonyms
OopsIE

Internal MISP references

UUID 8e101fdd-9f7f-4916-bb04-6bd9e94c129c which can be used as unique global reference for OopsIE - S0264 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0264 - webarchive
• https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/ - webarchive
• https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0264
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Ecipekac - S0624

Ecipekac is a multi-layer loader that has been used by menuPass since at least 2019 including use as a loader for P8RAT, SodaMaster, and FYAnti.(Citation: Securelist APT10 March 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ecipekac - S0624.

Known Synonyms
DESLoader
Ecipekac
HEAVYHAND
SigLoader

Internal MISP references

UUID 292eb0c5-b8e8-4af6-9e8f-0fda6b4528d3 which can be used as unique global reference for Ecipekac - S0624 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0624 - webarchive
• https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0624
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

NavRAT - S0247

NavRAT is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. (Citation: Talos NavRAT May 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NavRAT - S0247.

Known Synonyms
NavRAT

Internal MISP references

UUID 53a42597-1974-4b8e-84fd-3675e8992053 which can be used as unique global reference for NavRAT - S0247 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0247 - webarchive
• https://blog.talosintelligence.com/2018/05/navrat.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0247
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Calisto - S0274

Calisto is a macOS Trojan that opens a backdoor on the compromised machine. Calisto is believed to have first been developed in 2016. (Citation: Securelist Calisto July 2018) (Citation: Symantec Calisto July 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Calisto - S0274.

Known Synonyms
Calisto

Internal MISP references

UUID b8fdef82-d2cf-4948-8949-6466357b1be1 which can be used as unique global reference for Calisto - S0274 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0274 - webarchive
• https://securelist.com/calisto-trojan-for-macos/86543/ - webarchive
• https://web.archive.org/web/20190111082249/https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days - webarchive

Associated metadata

Metadata key	Value
external_id	S0274
mitre_platforms	['macOS']

Related clusters

To see the related clusters, click here.

TrickMo - S0427

TrickMo a 2FA bypass mobile banking trojan, most likely being distributed by TrickBot. TrickMo has been primarily targeting users located in Germany.(Citation: SecurityIntelligence TrickMo)

TrickMo is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.(Citation: SecurityIntelligence TrickMo)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TrickMo - S0427.

Known Synonyms
TrickMo

Internal MISP references

UUID 21170624-89db-4e99-bf27-58d26be07c3a which can be used as unique global reference for TrickMo - S0427 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0427 - webarchive
• https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0427
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

down_new - S0472

down_new is a downloader that has been used by BRONZE BUTLER since at least 2019.(Citation: Trend Micro Tick November 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular down_new - S0472.

Known Synonyms
down_new

Internal MISP references

UUID 8be7c69e-d8e3-4970-9668-61de08e508cc which can be used as unique global reference for down_new - S0472 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0472 - webarchive
• https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0472
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

PoetRAT - S0428

PoetRAT is a remote access trojan (RAT) that was first identified in April 2020. PoetRAT has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector. The STIBNITE activity group has been observed using the malware. PoetRAT derived its name from references in the code to poet William Shakespeare. (Citation: Talos PoetRAT April 2020)(Citation: Talos PoetRAT October 2020)(Citation: Dragos Threat Report 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PoetRAT - S0428.

Known Synonyms
PoetRAT

Internal MISP references

UUID cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c which can be used as unique global reference for PoetRAT - S0428 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0428 - webarchive
• https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html - webarchive
• https://blog.talosintelligence.com/2020/10/poetrat-update.html - webarchive
• https://hub.dragos.com/hubfs/Year-in-Review/Dragos_2020_ICS_Cybersecurity_Year_In_Review.pdf?hsCtaTracking=159c0fc3-92d8-425d-aeb8-12824f2297e8%7Cf163726d-579b-4996-9a04-44e5a124d770 - webarchive

Associated metadata

Metadata key	Value
external_id	S0428
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Bundlore - S0482

Bundlore is adware written for macOS that has been in use since at least 2015. Though categorized as adware, Bundlore has many features associated with more traditional backdoors.(Citation: MacKeeper Bundlore Apr 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bundlore - S0482.

Known Synonyms
Bundlore
OSX.Bundlore

Internal MISP references

UUID 7bef1b56-4870-4e74-b32a-7dd88c390c44 which can be used as unique global reference for Bundlore - S0482 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0482 - webarchive
• https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0482
mitre_platforms	['macOS']

Related clusters

To see the related clusters, click here.

More_eggs - S0284

More_eggs is a JScript backdoor used by Cobalt Group and FIN6. Its name was given based on the variable "More_eggs" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. (Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular More_eggs - S0284.

Known Synonyms
More_eggs
SKID
SpicyOmelette
Terra Loader

Internal MISP references

UUID bfd2738c-8b43-43c3-bc9f-d523c8e88bf4 which can be used as unique global reference for More_eggs - S0284 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0284 - webarchive
• https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html - webarchive
• https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
• https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/ - webarchive
• https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf - webarchive
• https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0284
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

yty - S0248

yty is a modular, plugin-based malware framework. The components of the framework are written in a variety of programming languages. (Citation: ASERT Donot March 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular yty - S0248.

Known Synonyms
yty

Internal MISP references

UUID 0817aaf2-afea-4c32-9285-4dcd1df5bf14 which can be used as unique global reference for yty - S0248 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0248 - webarchive
• https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0248
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

ShiftyBug - S0294

ShiftyBug is an auto-rooting adware family of malware for Android. The family is very similar to the other Android families known as Shedun, Shuanet, Kemoge, though it is not believed all the families were created by the same group. (Citation: Lookout-Adware)

Internal MISP references

UUID c80a6bef-b3ce-44d0-b113-946e93124898 which can be used as unique global reference for ShiftyBug - S0294 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0294 - webarchive
• https://blog.lookout.com/blog/2015/11/04/trojanized-adware/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0294

Related clusters

To see the related clusters, click here.

CookieMiner - S0492

CookieMiner is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.(Citation: Unit42 CookieMiner Jan 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CookieMiner - S0492.

Known Synonyms
CookieMiner

Internal MISP references

UUID eedc01d5-95e6-4d21-bcd4-1121b1df4586 which can be used as unique global reference for CookieMiner - S0492 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0492 - webarchive
• https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0492
mitre_platforms	['macOS']

Related clusters

To see the related clusters, click here.

Pay2Key - S0556

Pay2Key is a ransomware written in C++ that has been used by Fox Kitten since at least July 2020 including campaigns against Israeli companies. Pay2Key has been incorporated with a leak site to display stolen sensitive information to further pressure victims into payment.(Citation: ClearkSky Fox Kitten February 2020)(Citation: Check Point Pay2Key November 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pay2Key - S0556.

Known Synonyms
Pay2Key

Internal MISP references

UUID 77ca1aa3-280c-4b67-abaa-e8fb891a8f83 which can be used as unique global reference for Pay2Key - S0556 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0556 - webarchive
• https://research.checkpoint.com/2020/ransomware-alert-pay2key/ - webarchive
• https://www.clearskysec.com/fox-kitten/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0556
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

DDKONG - S0255

DDKONG is a malware sample that was part of a campaign by Rancor. DDKONG was first seen used in February 2017. (Citation: Rancor Unit42 June 2018)

Internal MISP references

UUID d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb which can be used as unique global reference for DDKONG - S0255 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0255 - webarchive
• https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0255

Related clusters

To see the related clusters, click here.

MarkiRAT - S0652

MarkiRAT is a remote access Trojan (RAT) compiled with Visual Studio that has been used by Ferocious Kitten since at least 2015.(Citation: Kaspersky Ferocious Kitten Jun 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MarkiRAT - S0652.

Known Synonyms
MarkiRAT

Internal MISP references

UUID 532c6004-b1e8-415b-9516-f7c14ba783b1 which can be used as unique global reference for MarkiRAT - S0652 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0652 - webarchive
• https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0652
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Cuba - S0625

Cuba is a Windows-based ransomware family that has been used against financial institutions, technology, and logistics organizations in North and South America as well as Europe since at least December 2019.(Citation: McAfee Cuba April 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cuba - S0625.

Known Synonyms
Cuba

Internal MISP references

UUID 6cd07296-14aa-403d-9229-6343d03d4752 which can be used as unique global reference for Cuba - S0625 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0625 - webarchive
• https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0625
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

KGH_SPY - S0526

KGH_SPY is a modular suite of tools used by Kimsuky for reconnaissance, information stealing, and backdoor capabilities. KGH_SPY derived its name from PDB paths and internal names found in samples containing "KGH".(Citation: Cybereason Kimsuky November 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KGH_SPY - S0526.

Known Synonyms
KGH_SPY

Internal MISP references

UUID 8bdfe255-e658-4ddd-a11c-b854762e451d which can be used as unique global reference for KGH_SPY - S0526 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0526 - webarchive
• https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite - webarchive

Associated metadata

Metadata key	Value
external_id	S0526
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Kazuar - S0265

Kazuar is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. (Citation: Unit 42 Kazuar May 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kazuar - S0265.

Known Synonyms
Kazuar

Internal MISP references

UUID 536be338-e2ef-4a6b-afb6-8d5568b91eb2 which can be used as unique global reference for Kazuar - S0265 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0265 - webarchive
• https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0265
mitre_platforms	['Windows', 'macOS']

Related clusters

To see the related clusters, click here.

Mosquito - S0256

Mosquito is a Win32 backdoor that has been used by Turla. Mosquito is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. (Citation: ESET Turla Mosquito Jan 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mosquito - S0256.

Known Synonyms
Mosquito

Internal MISP references

UUID 92b55426-109f-4d93-899f-1833ce91ff90 which can be used as unique global reference for Mosquito - S0256 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0256 - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0256
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SUNSPOT - S0562

SUNSPOT is an implant that injected the SUNBURST backdoor into the SolarWinds Orion software update framework. It was used by APT29 since at least February 2020.(Citation: CrowdStrike SUNSPOT Implant January 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SUNSPOT - S0562.

Known Synonyms
SUNSPOT

Internal MISP references

UUID bf48e7f8-752c-4ce8-bf8f-748edacd8fa6 which can be used as unique global reference for SUNSPOT - S0562 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0562 - webarchive
• https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0562
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

UPPERCUT - S0275

UPPERCUT is a backdoor that has been used by menuPass. (Citation: FireEye APT10 Sept 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UPPERCUT - S0275.

Known Synonyms
ANEL
UPPERCUT

Internal MISP references

UUID fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa which can be used as unique global reference for UPPERCUT - S0275 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0275 - webarchive
• https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0275
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

VERMIN - S0257

VERMIN is a remote access tool written in the Microsoft .NET framework. It is mostly composed of original code, but also has some open source code. (Citation: Unit 42 VERMIN Jan 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular VERMIN - S0257.

Known Synonyms
VERMIN

Internal MISP references

UUID 5189f018-fea2-45d7-b0ed-23f9ee0a46f3 which can be used as unique global reference for VERMIN - S0257 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0257 - webarchive
• https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0257
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

LookBack - S0582

LookBack is a remote access trojan written in C++ that was used against at least three US utility companies in July 2019. The TALONITE activity group has been observed using LookBack.(Citation: Proofpoint LookBack Malware Aug 2019)(Citation: Dragos TALONITE)(Citation: Dragos Threat Report 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LookBack - S0582.

Known Synonyms
LookBack

Internal MISP references

UUID c9ccc4df-1f56-49e7-ad57-b383e1451688 which can be used as unique global reference for LookBack - S0582 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0582 - webarchive
• https://hub.dragos.com/hubfs/Year-in-Review/Dragos_2020_ICS_Cybersecurity_Year_In_Review.pdf?hsCtaTracking=159c0fc3-92d8-425d-aeb8-12824f2297e8%7Cf163726d-579b-4996-9a04-44e5a124d770 - webarchive
• https://www.dragos.com/threat/talonite/ - webarchive
• https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks - webarchive

Associated metadata

Metadata key	Value
external_id	S0582
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

OldBoot - S0285

OldBoot is an Android malware family. (Citation: HackerNews-OldBoot)

Internal MISP references

UUID 2074b2ad-612e-4758-adce-7901c1b49bbc which can be used as unique global reference for OldBoot - S0285 in MISP communities and other software using the MISP galaxy

External references

• http://thehackernews.com/2014/01/first-widely-distributed-android.html - webarchive
• https://attack.mitre.org/software/S0285 - webarchive

Associated metadata

Metadata key	Value
external_id	S0285

Related clusters

To see the related clusters, click here.

RGDoor - S0258

RGDoor is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. RGDoor has been seen deployed on webservers belonging to the Middle East government organizations. RGDoor provides backdoor access to compromised IIS servers. (Citation: Unit 42 RGDoor Jan 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RGDoor - S0258.

Known Synonyms
RGDoor

Internal MISP references

UUID b9eec47e-98f4-4b3c-b574-3fa8a87ebe05 which can be used as unique global reference for RGDoor - S0258 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0258 - webarchive
• https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0258
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Javali - S0528

Javali is a banking trojan that has targeted Portuguese and Spanish-speaking countries since 2017, primarily focusing on customers of financial institutions in Brazil and Mexico.(Citation: Securelist Brazilian Banking Malware July 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Javali - S0528.

Known Synonyms
Javali

Internal MISP references

UUID 64122557-5940-4271-9123-25bfc0c693db which can be used as unique global reference for Javali - S0528 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0528 - webarchive
• https://securelist.com/the-tetrade-brazilian-banking-malware/97779/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0528
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

RCSAndroid - S0295

RCSAndroid is Android malware. (Citation: TrendMicro-RCSAndroid)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RCSAndroid - S0295.

Known Synonyms
RCSAndroid

Internal MISP references

UUID 363bc05d-13cb-4e98-a5b7-e250f2bbdc2b which can be used as unique global reference for RCSAndroid - S0295 in MISP communities and other software using the MISP galaxy

External references

• http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/ - webarchive
• https://attack.mitre.org/software/S0295 - webarchive

Associated metadata

Metadata key	Value
external_id	S0295
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

InnaputRAT - S0259

InnaputRAT is a remote access tool that can exfiltrate files from a victim’s machine. InnaputRAT has been seen out in the wild since 2016. (Citation: ASERT InnaputRAT April 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular InnaputRAT - S0259.

Known Synonyms
InnaputRAT

Internal MISP references

UUID c8b6cc43-ce61-42ae-87f3-a5f10526f952 which can be used as unique global reference for InnaputRAT - S0259 in MISP communities and other software using the MISP galaxy

External references

• https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/ - webarchive
• https://attack.mitre.org/software/S0259 - webarchive

Associated metadata

Metadata key	Value
external_id	S0259
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

CarbonSteal - S0529

CarbonSteal is one of a family of four surveillanceware tools that share a common C2 infrastructure. CarbonSteal primarily deals with audio surveillance. (Citation: Lookout Uyghur Campaign)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CarbonSteal - S0529.

Known Synonyms
CarbonSteal

Internal MISP references

UUID 007ebf84-4e14-44c7-a5aa-151d5de85320 which can be used as unique global reference for CarbonSteal - S0529 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0529 - webarchive
• https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0529
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

P8RAT - S0626

P8RAT is a fileless malware used by menuPass to download and execute payloads since at least 2020.(Citation: Securelist APT10 March 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular P8RAT - S0626.

Known Synonyms
GreetCake
HEAVYPOT
P8RAT

Internal MISP references

UUID 7c58fff0-d206-4db1-96b1-e3a9e0e320b9 which can be used as unique global reference for P8RAT - S0626 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0626 - webarchive
• https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0626
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

TrickBot - S0266

TrickBot is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to Dyre. TrickBot was developed and initially used by Wizard Spider for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of "big game hunting" ransomware campaigns.(Citation: S2 Grupo TrickBot June 2017)(Citation: Fidelis TrickBot Oct 2016)(Citation: IBM TrickBot Nov 2016)(Citation: CrowdStrike Wizard Spider October 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TrickBot - S0266.

Known Synonyms
TSPY_TRICKLOAD
Totbrick
TrickBot

Internal MISP references

UUID 00806466-754d-44ea-ad6f-0caf59cb8556 which can be used as unique global reference for TrickBot - S0266 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0266 - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/ - webarchive
• https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/ - webarchive
• https://www.crowdstrike.com/blog/wizard-spider-adversary-update/ - webarchive
• https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre - webarchive
• https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Totbrick - webarchive
• https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf - webarchive
• https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_trickload.n - webarchive

Associated metadata

Metadata key	Value
external_id	S0266
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

RCSession - S0662

RCSession is a backdoor written in C++ that has been in use since at least 2018 by Mustang Panda and by Threat Group-3390 (Type II Backdoor).(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Trend Micro Iron Tiger April 2021)(Citation: Trend Micro DRBControl February 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RCSession - S0662.

Known Synonyms
RCSession

Internal MISP references

UUID 03acae53-9b98-46f6-b204-16b930839055 which can be used as unique global reference for RCSession - S0662 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0662 - webarchive
• https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf - webarchive
• https://www.secureworks.com/research/bronze-president-targets-ngos - webarchive
• https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0662
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

FELIXROOT - S0267

FELIXROOT is a backdoor that has been used to target Ukrainian victims. (Citation: FireEye FELIXROOT July 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FELIXROOT - S0267.

Known Synonyms
FELIXROOT
GreyEnergy mini

Internal MISP references

UUID cf8df906-179c-4a78-bd6e-6605e30f6624 which can be used as unique global reference for FELIXROOT - S0267 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0267 - webarchive
• https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0267
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Keydnap - S0276

This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor (Citation: OSX Keydnap malware).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Keydnap - S0276.

Known Synonyms
Keydnap
OSX/Keydnap

Internal MISP references

UUID 4b072c90-bc7a-432b-940e-016fc1c01761 which can be used as unique global reference for Keydnap - S0276 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0276 - webarchive
• https://objective-see.org/blog/blog_0x16.html - webarchive
• https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0276
mitre_platforms	['macOS']

Related clusters

To see the related clusters, click here.

SodaMaster - S0627

SodaMaster is a fileless malware used by menuPass to download and execute payloads since at least 2020.(Citation: Securelist APT10 March 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SodaMaster - S0627.

Known Synonyms
DARKTOWN
DelfsCake
SodaMaster
dfls

Internal MISP references

UUID 94d6d788-07bb-4dcc-b62f-e02626b00108 which can be used as unique global reference for SodaMaster - S0627 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0627 - webarchive
• https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0627
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Zox - S0672

Zox is a remote access tool that has been used by Axiom since at least 2008.(Citation: Novetta-Axiom)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zox - S0672.

Known Synonyms
Gresim
Zox
ZoxPNG
ZoxRPC

Internal MISP references

UUID fb28627c-d6ea-4c35-b138-ab5e96ae5445 which can be used as unique global reference for Zox - S0672 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0672 - webarchive
• https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0672
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

OBAD - S0286

OBAD is an Android malware family. (Citation: TrendMicro-Obad)

Internal MISP references

UUID ca4f63b9-a358-4214-bb26-8c912318cfde which can be used as unique global reference for OBAD - S0286 in MISP communities and other software using the MISP galaxy

External references

• http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/ - webarchive
• https://attack.mitre.org/software/S0286 - webarchive

Associated metadata

Metadata key	Value
external_id	S0286

Related clusters

To see the related clusters, click here.

FYAnti - S0628

FYAnti is a loader that has been used by menuPass since at least 2020, including to deploy QuasarRAT.(Citation: Securelist APT10 March 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FYAnti - S0628.

Known Synonyms
DILLJUICE stage2
FYAnti

Internal MISP references

UUID 434ba392-ebdc-488b-b1ef-518deea65774 which can be used as unique global reference for FYAnti - S0628 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0628 - webarchive
• https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0628
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

TrailBlazer - S0682

TrailBlazer is a modular malware that has been used by APT29 since at least 2019.(Citation: CrowdStrike StellarParticle January 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TrailBlazer - S0682.

Known Synonyms
TrailBlazer

Internal MISP references

UUID bdad6f3b-de88-42fa-9295-d29b5271808e which can be used as unique global reference for TrailBlazer - S0682 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0682 - webarchive
• https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0682
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Bisonal - S0268

Bisonal is a remote access tool (RAT) that has been used by Tonto Team against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bisonal - S0268.

Known Synonyms
Bisonal

Internal MISP references

UUID 65ffc206-d7c1-45b3-b543-f6b726e7840d which can be used as unique global reference for Bisonal - S0268 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0268 - webarchive
• https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html - webarchive
• https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0268
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

QUADAGENT - S0269

QUADAGENT is a PowerShell backdoor used by OilRig. (Citation: Unit 42 QUADAGENT July 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QUADAGENT - S0269.

Known Synonyms
QUADAGENT

Internal MISP references

UUID 7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77 which can be used as unique global reference for QUADAGENT - S0269 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0269 - webarchive
• https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0269
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

RainyDay - S0629

RainyDay is a backdoor tool that has been used by Naikon since at least 2020.(Citation: Bitdefender Naikon April 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RainyDay - S0629.

Known Synonyms
RainyDay

Internal MISP references

UUID 29231689-5837-4a7a-aafc-1b65b3f50cc7 which can be used as unique global reference for RainyDay - S0629 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0629 - webarchive
• https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0629
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

FruitFly - S0277

FruitFly is designed to spy on mac users (Citation: objsee mac malware 2017).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FruitFly - S0277.

Known Synonyms
FruitFly

Internal MISP references

UUID 4a98e44a-bd52-461e-af1e-a4457de87a36 which can be used as unique global reference for FruitFly - S0277 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0277 - webarchive
• https://objective-see.com/blog/blog_0x25.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0277
mitre_platforms	['macOS']

Related clusters

To see the related clusters, click here.

ZergHelper - S0287

ZergHelper is iOS riskware that was unique due to its apparent evasion of Apple's App Store review process. No malicious functionality was identified in the app, but it presents security risks. (Citation: Xiao-ZergHelper)

Internal MISP references

UUID 3c3b55a6-c3e9-4043-8aae-283fe96220c0 which can be used as unique global reference for ZergHelper - S0287 in MISP communities and other software using the MISP galaxy

External references

• http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/ - webarchive
• https://attack.mitre.org/software/S0287 - webarchive

Associated metadata

Metadata key	Value
external_id	S0287

Related clusters

To see the related clusters, click here.

iKitten - S0278

iKitten is a macOS exfiltration agent (Citation: objsee mac malware 2017).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular iKitten - S0278.

Known Synonyms
OSX/MacDownloader
iKitten

Internal MISP references

UUID 2cfe8a26-5be7-4a09-8915-ea3d9e787513 which can be used as unique global reference for iKitten - S0278 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0278 - webarchive
• https://objective-see.com/blog/blog_0x25.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0278
mitre_platforms	['macOS']

Related clusters

To see the related clusters, click here.

XcodeGhost - S0297

XcodeGhost is iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users. (Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)

Internal MISP references

UUID d9e07aea-baad-4b68-bdca-90c77647d7f9 which can be used as unique global reference for XcodeGhost - S0297 in MISP communities and other software using the MISP galaxy

External references

• http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/ - webarchive
• http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/ - webarchive
• https://attack.mitre.org/software/S0297 - webarchive

Associated metadata

Metadata key	Value
external_id	S0297

Related clusters

To see the related clusters, click here.

Proton - S0279

Proton is a macOS backdoor focusing on data theft and credential access (Citation: objsee mac malware 2017).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Proton - S0279.

Known Synonyms
Proton

Internal MISP references

UUID c541efb4-e7b1-4ad6-9da8-b4e113f5dd42 which can be used as unique global reference for Proton - S0279 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0279 - webarchive
• https://objective-see.com/blog/blog_0x25.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0279
mitre_platforms	['macOS']

Related clusters

To see the related clusters, click here.

KeyRaider - S0288

KeyRaider is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. (Citation: Xiao-KeyRaider)

Internal MISP references

UUID 3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50 which can be used as unique global reference for KeyRaider - S0288 in MISP communities and other software using the MISP galaxy

External references

• http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/ - webarchive
• https://attack.mitre.org/software/S0288 - webarchive

Associated metadata

Metadata key	Value
external_id	S0288

Related clusters

To see the related clusters, click here.

NotCompatible - S0299

NotCompatible is an Android malware family that was used between at least 2014 and 2016. It has multiple variants that have become more sophisticated over time. (Citation: Lookout-NotCompatible)

Internal MISP references

UUID 23040c15-e7d8-47b5-8c16-8fd3e0e297fe which can be used as unique global reference for NotCompatible - S0299 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0299 - webarchive
• https://blog.lookout.com/blog/2014/11/19/notcompatible/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0299

Related clusters

To see the related clusters, click here.

UBoatRAT - S0333

UBoatRAT is a remote access tool that was identified in May 2017.(Citation: PaloAlto UBoatRAT Nov 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UBoatRAT - S0333.

Known Synonyms
UBoatRAT

Internal MISP references

UUID 518bb5f1-91f4-4ff2-b09d-5a94e1ebe95f which can be used as unique global reference for UBoatRAT - S0333 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0333 - webarchive
• https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0333
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

DarkComet - S0334

DarkComet is a Windows remote administration tool and backdoor.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DarkComet - S0334.

Known Synonyms
DarkComet
DarkKomet
FYNLOS
Fynloski
Krademok

Internal MISP references

UUID 53ab35c2-d00e-491a-8753-41d35ae7e547 which can be used as unique global reference for DarkComet - S0334 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0334 - webarchive
• https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/ - webarchive
• https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET - webarchive

Associated metadata

Metadata key	Value
external_id	S0334
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Rifdoor - S0433

Rifdoor is a remote access trojan (RAT) that shares numerous code similarities with HotCroissant.(Citation: Carbon Black HotCroissant April 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rifdoor - S0433.

Known Synonyms
Rifdoor

Internal MISP references

UUID 44c75271-0e4d-496f-ae0a-a6d883a42a65 which can be used as unique global reference for Rifdoor - S0433 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0433 - webarchive
• https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0433
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SLOTHFULMEDIA - S0533

SLOTHFULMEDIA is a remote access Trojan written in C++ that has been used by an unidentified "sophisticated cyber actor" since at least January 2017.(Citation: CISA MAR SLOTHFULMEDIA October 2020)(Citation: Costin Raiu IAmTheKing October 2020) It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.(Citation: USCYBERCOM SLOTHFULMEDIA October 2020)(Citation: Kaspersky IAmTheKing October 2020)

In October 2020, Kaspersky Labs assessed SLOTHFULMEDIA is part of an activity cluster it refers to as "IAmTheKing".(Citation: Kaspersky IAmTheKing October 2020) ESET also noted code similarity between SLOTHFULMEDIA and droppers used by a group it refers to as "PowerPool".(Citation: ESET PowerPool Code October 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SLOTHFULMEDIA - S0533.

Known Synonyms
JackOfHearts
QueenOfClubs
SLOTHFULMEDIA

Internal MISP references

UUID feb2d7bb-aacb-48df-ad04-ccf41a30cd90 which can be used as unique global reference for SLOTHFULMEDIA - S0533 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0533 - webarchive
• https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/ - webarchive
• https://twitter.com/CNMF_CyberAlert/status/1311743710997159953 - webarchive
• https://twitter.com/ESETresearch/status/1311762215490461696 - webarchive
• https://twitter.com/craiu/status/1311920398259367942 - webarchive
• https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a - webarchive

Associated metadata

Metadata key	Value
external_id	S0533
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Carbon - S0335

Carbon is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. Carbon has been selectively used by Turla to target government and foreign affairs-related organizations in Central Asia.(Citation: ESET Carbon Mar 2017)(Citation: Securelist Turla Oct 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Carbon - S0335.

Known Synonyms
Carbon

Internal MISP references

UUID b7e9880a-7a7c-4162-bddb-e28e8ef2bf1f which can be used as unique global reference for Carbon - S0335 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0335 - webarchive
• https://securelist.com/shedding-skin-turlas-fresh-faces/88069/ - webarchive
• https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0335
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

NOKKI - S0353

NOKKI is a modular remote access tool. The earliest observed attack using NOKKI was in January 2018. NOKKI has significant code overlap with the KONNI malware family. There is some evidence potentially linking NOKKI to APT37.(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NOKKI - S0353.

Known Synonyms
NOKKI

Internal MISP references

UUID 071d5d65-83ec-4a55-acfa-be7d5f28ba9a which can be used as unique global reference for NOKKI - S0353 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0353 - webarchive
• https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/ - webarchive
• https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0353
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

NanoCore - S0336

NanoCore is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013.(Citation: DigiTrust NanoCore Jan 2017)(Citation: Cofense NanoCore Mar 2018)(Citation: PaloAlto NanoCore Feb 2016)(Citation: Unit 42 Gorgon Group Aug 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NanoCore - S0336.

Known Synonyms
NanoCore

Internal MISP references

UUID b4d80f8b-d2b9-4448-8844-4bef777ed676 which can be used as unique global reference for NanoCore - S0336 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0336 - webarchive
• https://cofense.com/nanocore-rat-resurfaced-sewers/ - webarchive
• https://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/ - webarchive
• https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/ - webarchive
• https://www.digitrustgroup.com/nanocore-not-your-average-rat/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0336
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Astaroth - S0373

Astaroth is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. (Citation: Cybereason Astaroth Feb 2019)(Citation: Cofense Astaroth Sept 2018)(Citation: Securelist Brazilian Banking Malware July 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Astaroth - S0373.

Known Synonyms
Astaroth
Guildma

Internal MISP references

UUID edb24a93-1f7a-4bbf-a738-1397a14662c6 which can be used as unique global reference for Astaroth - S0373 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0373 - webarchive
• https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/ - webarchive
• https://securelist.com/the-tetrade-brazilian-banking-malware/97779/ - webarchive
• https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research - webarchive

Associated metadata

Metadata key	Value
external_id	S0373
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BadPatch - S0337

BadPatch is a Windows Trojan that was used in a Gaza Hackers-linked campaign.(Citation: Unit 42 BadPatch Oct 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BadPatch - S0337.

Known Synonyms
BadPatch

Internal MISP references

UUID 9af05de0-bc09-4511-a350-5eb8b06185c1 which can be used as unique global reference for BadPatch - S0337 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0337 - webarchive
• https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0337
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

FlawedGrace - S0383

FlawedGrace is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.(Citation: Proofpoint TA505 Jan 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FlawedGrace - S0383.

Known Synonyms
FlawedGrace

Internal MISP references

UUID 43155329-3edf-47a6-9a14-7dac899b01e4 which can be used as unique global reference for FlawedGrace - S0383 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0383 - webarchive
• https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505 - webarchive

Associated metadata

Metadata key	Value
external_id	S0383
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Micropsia - S0339

Micropsia is a remote access tool written in Delphi.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Micropsia - S0339.

Known Synonyms
Micropsia

Internal MISP references

UUID 8c050cea-86e1-4b63-bf21-7af4fa483349 which can be used as unique global reference for Micropsia - S0339 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0339 - webarchive
• https://blog.radware.com/security/2018/07/micropsia-malware/ - webarchive
• https://blog.talosintelligence.com/2017/06/palestine-delphi.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0339
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

PowerStallion - S0393

PowerStallion is a lightweight PowerShell backdoor used by Turla, possibly as a recovery access tool to install other backdoors.(Citation: ESET Turla PowerShell May 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PowerStallion - S0393.

Known Synonyms
PowerStallion

Internal MISP references

UUID dcac85c1-6485-4790-84f6-de5e6f6b91dd which can be used as unique global reference for PowerStallion - S0393 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0393 - webarchive
• https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0393
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

MESSAGETAP - S0443

MESSAGETAP is a data mining malware family deployed by APT41 into telecommunications networks to monitor and save SMS traffic from specific phone numbers, IMSI numbers, or that contain specific keywords. (Citation: FireEye MESSAGETAP October 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MESSAGETAP - S0443.

Known Synonyms
MESSAGETAP

Internal MISP references

UUID 9b19d6b4-cfcb-492f-8ca8-8449e7331573 which can be used as unique global reference for MESSAGETAP - S0443 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0443 - webarchive
• https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0443
mitre_platforms	['Linux']

Related clusters

To see the related clusters, click here.

Azorult - S0344

Azorult is a commercial Trojan that is used to steal information from compromised hosts. Azorult has been observed in the wild as early as 2016. In July 2018, Azorult was seen used in a spearphishing campaign against targets in North America. Azorult has been seen used for cryptocurrency theft. (Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Azorult - S0344.

Known Synonyms
Azorult

Internal MISP references

UUID f9b05f33-d45d-4e4d-aafe-c208d38a0080 which can be used as unique global reference for Azorult - S0344 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0344 - webarchive
• https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/ - webarchive
• https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside - webarchive

Associated metadata

Metadata key	Value
external_id	S0344
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

PLEAD - S0435

PLEAD is a remote access tool (RAT) and downloader used by BlackTech in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.(Citation: TrendMicro BlackTech June 2017)(Citation: JPCert PLEAD Downloader June 2018) PLEAD has also been referred to as TSCookie, though more recent reporting indicates likely separation between the two. PLEAD was observed in use as early as March 2017.(Citation: JPCert TSCookie March 2018)(Citation: JPCert PLEAD Downloader June 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PLEAD - S0435.

Known Synonyms
PLEAD

Internal MISP references

UUID b57f419e-8b12-49d3-886b-145383725dcd which can be used as unique global reference for PLEAD - S0435 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0435 - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/ - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/plead-targeted-attacks-against-taiwanese-government-agencies-2/ - webarchive
• https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0435
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Bazar - S0534

Bazar is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. Bazar reportedly has ties to TrickBot campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.(Citation: Cybereason Bazar July 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bazar - S0534.

Known Synonyms
Bazaloader
Bazar
KEGTAP
Team9

Internal MISP references

UUID 99fdf3b4-96ef-4ab9-b191-fc683441cad0 which can be used as unique global reference for Bazar - S0534 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0534 - webarchive
• https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/ - webarchive
• https://www.crowdstrike.com/blog/wizard-spider-adversary-update/ - webarchive
• https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles - webarchive
• https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html - webarchive
• https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0534
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Denis - S0354

Denis is a Windows backdoor and Trojan used by APT32. Denis shares several similarities to the SOUNDBITE backdoor and has been used in conjunction with the Goopy backdoor.(Citation: Cybereason Oceanlotus May 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Denis - S0354.

Known Synonyms
Denis

Internal MISP references

UUID f25aab1a-0cef-4910-a85d-bb38b32ea41a which can be used as unique global reference for Denis - S0354 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0354 - webarchive
• https://www.cybereason.com/blog/operation-cobalt-kitty-apt - webarchive

Associated metadata

Metadata key	Value
external_id	S0354
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Pony - S0453

Pony is a credential stealing malware, though has also been used among adversaries for its downloader capabilities. The source code for Pony Loader 1.0 and 2.0 were leaked online, leading to their use by various threat actors.(Citation: Malwarebytes Pony April 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pony - S0453.

Known Synonyms
Pony

Internal MISP references

UUID 222ba512-32d9-49ac-aefd-50ce981ce2ce which can be used as unique global reference for Pony - S0453 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0453 - webarchive
• https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0453
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Seasalt - S0345

Seasalt is malware that has been linked to APT1's 2010 operations. It shares some code similarities with OceanSalt.(Citation: Mandiant APT1 Appendix)(Citation: McAfee Oceansalt Oct 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Seasalt - S0345.

Known Synonyms
Seasalt

Internal MISP references

UUID b45747dc-87ca-4597-a245-7e16a61bc491 which can be used as unique global reference for Seasalt - S0345 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0345 - webarchive
• https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf - webarchive
• https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0345
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Spark - S0543

Spark is a Windows backdoor and has been in use since as early as 2017.(Citation: Unit42 Molerat Mar 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Spark - S0543.

Known Synonyms
Spark

Internal MISP references

UUID 03ea629c-517a-41e3-94f8-c7e5368cf8f4 which can be used as unique global reference for Spark - S0543 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0543 - webarchive
• https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0543
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

INSOMNIA - S0463

INSOMNIA is spyware that has been used by the group Evil Eye.(Citation: Volexity Insomnia)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular INSOMNIA - S0463.

Known Synonyms
INSOMNIA

Internal MISP references

UUID 21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901 which can be used as unique global reference for INSOMNIA - S0463 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0463 - webarchive
• https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0463
mitre_platforms	['iOS']

Related clusters

To see the related clusters, click here.

TSCookie - S0436

TSCookie is a remote access tool (RAT) that has been used by BlackTech in campaigns against Japanese targets.(Citation: JPCert TSCookie March 2018)(Citation: JPCert BlackTech Malware September 2019). TSCookie has been referred to as PLEAD though more recent reporting indicates a separation between the two.(Citation: JPCert PLEAD Downloader June 2018)(Citation: JPCert BlackTech Malware September 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TSCookie - S0436.

Known Synonyms
TSCookie

Internal MISP references

UUID 76ac7989-c5cc-42e2-93e3-d6c476f01ace which can be used as unique global reference for TSCookie - S0436 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0436 - webarchive
• https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html - webarchive
• https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0436
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

EnvyScout - S0634

EnvyScout is a dropper that has been used by APT29 since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EnvyScout - S0634.

Known Synonyms
EnvyScout

Internal MISP references

UUID 2f8229dc-da94-41c6-89ba-b5b6c32f6b7d which can be used as unique global reference for EnvyScout - S0634 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0634 - webarchive
• https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0634
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

OceanSalt - S0346

OceanSalt is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. OceanSalt shares code similarity with SpyNote RAT, which has been linked to APT1.(Citation: McAfee Oceansalt Oct 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OceanSalt - S0346.

Known Synonyms
OceanSalt

Internal MISP references

UUID 288fa242-e894-4c7e-ac86-856deedf5cea which can be used as unique global reference for OceanSalt - S0346 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0346 - webarchive
• https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0346
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Peppy - S0643

Peppy is a Python-based remote access Trojan, active since at least 2012, with similarities to Crimson.(Citation: Proofpoint Operation Transparent Tribe March 2016)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Peppy - S0643.

Known Synonyms
Peppy

Internal MISP references

UUID 6c2550d5-a01a-4bbb-a004-6ead348ba623 which can be used as unique global reference for Peppy - S0643 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0643 - webarchive
• https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0643
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

AuditCred - S0347

AuditCred is a malicious DLL that has been used by Lazarus Group during their 2018 attacks.(Citation: TrendMicro Lazarus Nov 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AuditCred - S0347.

Known Synonyms
AuditCred
Roptimizer

Internal MISP references

UUID 24b4ce59-eaac-4c8b-8634-9b093b7ccd92 which can be used as unique global reference for AuditCred - S0347 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0347 - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0347
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Avenger - S0473

Avenger is a downloader that has been used by BRONZE BUTLER since at least 2019.(Citation: Trend Micro Tick November 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Avenger - S0473.

Known Synonyms
Avenger

Internal MISP references

UUID 36ede314-7db4-4d09-b53d-81bbfbe5f6f8 which can be used as unique global reference for Avenger - S0473 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0473 - webarchive
• https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0473
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Kivars - S0437

Kivars is a modular remote access tool (RAT), derived from the Bifrost RAT, that was used by BlackTech in a 2010 campaign.(Citation: TrendMicro BlackTech June 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kivars - S0437.

Known Synonyms
Kivars

Internal MISP references

UUID b2d134a1-7bd5-4293-94d4-8fc978cb1cd7 which can be used as unique global reference for Kivars - S0437 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0437 - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0437
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SpeakUp - S0374

SpeakUp is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. (Citation: CheckPoint SpeakUp Feb 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SpeakUp - S0374.

Known Synonyms
SpeakUp

Internal MISP references

UUID a5575606-9b85-4e3d-9cd2-40ef30e3672d which can be used as unique global reference for SpeakUp - S0374 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0374 - webarchive
• https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0374
mitre_platforms	['Linux', 'macOS']

Related clusters

To see the related clusters, click here.

Attor - S0438

Attor is a Windows-based espionage platform that has been seen in use since 2013. Attor has a loadable plugin architecture to customize functionality for specific targets.(Citation: ESET Attor Oct 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Attor - S0438.

Known Synonyms
Attor

Internal MISP references

UUID 8f423bd7-6ca7-4303-9e85-008c7ad5fdaa which can be used as unique global reference for Attor - S0438 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0438 - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0438
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

IcedID - S0483

IcedID is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. IcedID has been downloaded by Emotet in multiple campaigns.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular IcedID - S0483.

Known Synonyms
IcedID

Internal MISP references

UUID 5147ef15-1cae-4707-8ea1-bee8d98b7f1d which can be used as unique global reference for IcedID - S0483 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0483 - webarchive
• https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware - webarchive
• https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0483
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Dridex - S0384

Dridex is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated Dridex had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. Dridex was created from the source code of the Bugat banking Trojan (also known as Cridex).(Citation: Dell Dridex Oct 2015)(Citation: Kaspersky Dridex May 2017)(Citation: Treasury EvilCorp Dec 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dridex - S0384.

Known Synonyms
Bugat v5
Dridex

Internal MISP references

UUID f01e2711-4b48-4192-a2e8-5f56c945ca19 which can be used as unique global reference for Dridex - S0384 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0384 - webarchive
• https://home.treasury.gov/news/press-releases/sm845 - webarchive
• https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/ - webarchive
• https://securelist.com/dridex-a-history-of-evolution/78531/ - webarchive
• https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation - webarchive

Associated metadata

Metadata key	Value
external_id	S0384
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

GoldenSpy - S0493

GoldenSpy is a backdoor malware which has been packaged with legitimate tax preparation software. GoldenSpy was discovered targeting organizations in China, being delivered with the "Intelligent Tax" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.(Citation: Trustwave GoldenSpy June 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GoldenSpy - S0493.

Known Synonyms
GoldenSpy

Internal MISP references

UUID b9704a7d-feef-4af9-8898-5280f1686326 which can be used as unique global reference for GoldenSpy - S0493 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0493 - webarchive
• https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0493
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

HiddenWasp - S0394

HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.(Citation: Intezer HiddenWasp Map 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HiddenWasp - S0394.

Known Synonyms
HiddenWasp

Internal MISP references

UUID fc774af4-533b-4724-96d2-ac1026316794 which can be used as unique global reference for HiddenWasp - S0394 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0394 - webarchive
• https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0394
mitre_platforms	['Linux']

Related clusters

To see the related clusters, click here.

Okrum - S0439

Okrum is a Windows backdoor that has been seen in use since December 2016 with strong links to Ke3chang.(Citation: ESET Okrum July 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Okrum - S0439.

Known Synonyms
Okrum

Internal MISP references

UUID 4b6ec280-7bbb-48ff-ae59-b189520ebe83 which can be used as unique global reference for Okrum - S0439 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0439 - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0439
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

MoleNet - S0553

MoleNet is a downloader tool with backdoor capabilities that has been observed in use since at least 2019.(Citation: Cybereason Molerats Dec 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MoleNet - S0553.

Known Synonyms
MoleNet

Internal MISP references

UUID 8a59f456-79a0-4151-9f56-9b1a67332af2 which can be used as unique global reference for MoleNet - S0553 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0553 - webarchive
• https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0553
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BoomBox - S0635

BoomBox is a downloader responsible for executing next stage components that has been used by APT29 since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BoomBox - S0635.

Known Synonyms
BoomBox

Internal MISP references

UUID c26f1c05-b861-4970-94dc-2f7f921a3074 which can be used as unique global reference for BoomBox - S0635 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0635 - webarchive
• https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0635
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

xCaon - S0653

xCaon is an HTTP variant of the BoxCaon malware family that has used by IndigoZebra since at least 2014. xCaon has been used to target political entities in Central Asia, including Kyrgyzstan and Uzbekistan.(Citation: Checkpoint IndigoZebra July 2021)(Citation: Securelist APT Trends Q2 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular xCaon - S0653.

Known Synonyms
xCaon

Internal MISP references

UUID 21583311-6321-4891-8a37-3eb4e57b0fb1 which can be used as unique global reference for xCaon - S0653 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0653 - webarchive
• https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/ - webarchive
• https://securelist.com/apt-trends-report-q2-2017/79332/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0653
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

GPlayed - S0536

GPlayed is an Android trojan with a broad range of capabilities.(Citation: Talos GPlayed)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GPlayed - S0536.

Known Synonyms
GPlayed

Internal MISP references

UUID a993495c-9813-4372-b9ec-d168c7f7ec0a which can be used as unique global reference for GPlayed - S0536 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0536 - webarchive
• https://blog.talosintelligence.com/2018/10/gplayedtrojan.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0536
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

KONNI - S0356

KONNI is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. KONNI has significant code overlap with the NOKKI malware family, and has been linked to several suspected North Korean campaigns targeting political organizations in Russia, East Asia, Europe and the Middle East; there is some evidence potentially linking KONNI to APT37.(Citation: Talos Konni May 2017)(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KONNI - S0356.

Known Synonyms
KONNI

Internal MISP references

UUID 86b92f6c-9c05-4c51-b361-4c7bb13e21a1 which can be used as unique global reference for KONNI - S0356 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0356 - webarchive
• https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/ - webarchive
• https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html - webarchive
• https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b - webarchive
• https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/ - webarchive
• https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0356
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

HyperStack - S0537

HyperStack is a RPC-based backdoor used by Turla since at least 2018. HyperStack has similarities to other backdoors used by Turla including Carbon.(Citation: Accenture HyperStack October 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HyperStack - S0537.

Known Synonyms
HyperStack

Internal MISP references

UUID 2cf7dec3-66fc-423f-b2c7-58f1de243b4e which can be used as unique global reference for HyperStack - S0537 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0537 - webarchive
• https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity - webarchive

Associated metadata

Metadata key	Value
external_id	S0537
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Remexi - S0375

Remexi is a Windows-based Trojan that was developed in the C programming language.(Citation: Securelist Remexi Jan 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Remexi - S0375.

Known Synonyms
Remexi

Internal MISP references

UUID ecc2f65a-b452-4eaf-9689-7e181f17f7a5 which can be used as unique global reference for Remexi - S0375 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0375 - webarchive
• https://securelist.com/chafer-used-remexi-malware/89538/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0375
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

njRAT - S0385

njRAT is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.(Citation: Fidelis njRAT June 2013)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular njRAT - S0385.

Known Synonyms
Bladabindi
LV
Njw0rm
njRAT

Internal MISP references

UUID d906e6f7-434c-44c0-b51a-ed50af8f7945 which can be used as unique global reference for njRAT - S0385 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0385 - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/ - webarchive
• https://www.fireeye.com/blog/threat-research/2013/08/njw0rm-brother-from-the-same-mother.html - webarchive
• https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0385
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Crutch - S0538

Crutch is a backdoor designed for document theft that has been used by Turla since at least 2015.(Citation: ESET Crutch December 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Crutch - S0538.

Known Synonyms
Crutch

Internal MISP references

UUID 925a6c52-5cf0-4fec-99de-b0d6917d8593 which can be used as unique global reference for Crutch - S0538 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0538 - webarchive
• https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0538
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Pysa - S0583

Pysa is a ransomware that was first used in October 2018 and has been seen to target particularly high-value finance, government and healthcare organizations.(Citation: CERT-FR PYSA April 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pysa - S0583.

Known Synonyms
Mespinoza
Pysa

Internal MISP references

UUID a19c1197-9414-46e3-986f-0f609ff4a46b which can be used as unique global reference for Pysa - S0583 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0583 - webarchive
• https://digital.nhs.uk/cyber-alerts/2020/cc-3633 - webarchive
• https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ - webarchive
• https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-003.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0583
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

ECCENTRICBANDWAGON - S0593

ECCENTRICBANDWAGON is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool--with keylogging and screen capture functionality--used for information gathering on compromised systems.(Citation: CISA EB Aug 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ECCENTRICBANDWAGON - S0593.

Known Synonyms
ECCENTRICBANDWAGON

Internal MISP references

UUID e928333f-f3df-4039-9b8b-556c2add0e42 which can be used as unique global reference for ECCENTRICBANDWAGON - S0593 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0593 - webarchive
• https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a - webarchive

Associated metadata

Metadata key	Value
external_id	S0593
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

LightNeuron - S0395

LightNeuron is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. LightNeuron has been used by Turla to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of LightNeuron exists.(Citation: ESET LightNeuron May 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LightNeuron - S0395.

Known Synonyms
LightNeuron

Internal MISP references

UUID 6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb which can be used as unique global reference for LightNeuron - S0395 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0395 - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0395
mitre_platforms	['Windows', 'Linux']

Related clusters

To see the related clusters, click here.

WannaCry - S0366

WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.(Citation: LogRhythm WannaCry)(Citation: US-CERT WannaCry 2017)(Citation: Washington Post WannaCry 2017)(Citation: FireEye WannaCry 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WannaCry - S0366.

Known Synonyms
WCry
WanaCry
WanaCrypt
WanaCrypt0r
WannaCry

Internal MISP references

UUID 75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661 which can be used as unique global reference for WannaCry - S0366 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0366 - webarchive
• https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/ - webarchive
• https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html - webarchive
• https://www.secureworks.com/research/wcry-ransomware-analysis - webarchive
• https://www.us-cert.gov/ncas/alerts/TA17-132A - webarchive
• https://www.washingtonpost.com/business/economy/more-than-150-countries-affected-by-massive-cyberattack-europol-says/2017/05/14/5091465e-3899-11e7-9e48-c4f199710b69_story.html?utm_term=.7fa16b41cad4 - webarchive

Associated metadata

Metadata key	Value
external_id	S0366
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

VaporRage - S0636

VaporRage is a shellcode downloader that has been used by APT29 since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular VaporRage - S0636.

Known Synonyms
VaporRage

Internal MISP references

UUID 96eca9b9-b37f-42f1-96dc-a2c441403194 which can be used as unique global reference for VaporRage - S0636 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0636 - webarchive
• https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0636
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SysUpdate - S0663

SysUpdate is a backdoor written in C++ that has been used by Threat Group-3390 since at least 2020.(Citation: Trend Micro Iron Tiger April 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SysUpdate - S0663.

Known Synonyms
FOCUSFJORD
HyperSSL
Soldier
SysUpdate

Internal MISP references

UUID c009560a-f097-45a3-8f9f-78ec1440a783 which can be used as unique global reference for SysUpdate - S0663 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0663 - webarchive
• https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0663
mitre_platforms	['Windows', 'Linux']

Related clusters

To see the related clusters, click here.

DarkWatchman - S0673

DarkWatchman is a lightweight JavaScript-based remote access tool (RAT) that avoids file operations; it was first observed in November 2021.(Citation: Prevailion DarkWatchman 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DarkWatchman - S0673.

Known Synonyms
DarkWatchman

Internal MISP references

UUID 63686509-069b-4143-99ea-4e59cad6cb2a which can be used as unique global reference for DarkWatchman - S0673 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0673 - webarchive
• https://www.prevailion.com/darkwatchman-new-fileless-techniques/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0673
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Emotet - S0367

Emotet is a modular malware variant which is primarily used as a downloader for other malware variants such as TrickBot and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. (Citation: Trend Micro Banking Malware Jan 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Emotet - S0367.

Known Synonyms
Emotet
Geodo

Internal MISP references

UUID 32066e94-3112-48ca-b9eb-ba2b59d2f023 which can be used as unique global reference for Emotet - S0367 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0367 - webarchive
• https://blog.talosintelligence.com/2019/01/return-of-emotet.html - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/ - webarchive
• https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf - webarchive
• https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/ - webarchive
• https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/ - webarchive
• https://support.malwarebytes.com/docs/DOC-2295 - webarchive
• https://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/ - webarchive
• https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/ - webarchive
• https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html - webarchive
• https://www.secureworks.com/blog/lazy-passwords-become-rocket-fuel-for-emotet-smb-spreader - webarchive
• https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor - webarchive
• https://www.us-cert.gov/ncas/alerts/TA18-201A - webarchive
• https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0367
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

HOPLIGHT - S0376

HOPLIGHT is a backdoor Trojan that has reportedly been used by the North Korean government.(Citation: US-CERT HOPLIGHT Apr 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HOPLIGHT - S0376.

Known Synonyms
HOPLIGHT

Internal MISP references

UUID 454fe82d-6fd2-4ac6-91ab-28a33fe01369 which can be used as unique global reference for HOPLIGHT - S0376 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0376 - webarchive
• https://www.us-cert.gov/ncas/analysis-reports/AR19-100A - webarchive

Associated metadata

Metadata key	Value
external_id	S0376
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

NativeZone - S0637

NativeZone is the name given collectively to disposable custom Cobalt Strike loaders used by APT29 since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)(Citation: SentinelOne NobleBaron June 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NativeZone - S0637.

Known Synonyms
NativeZone

Internal MISP references

UUID b4783be3-35d9-4a56-ac8d-1f3e1c9d9a84 which can be used as unique global reference for NativeZone - S0637 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0637 - webarchive
• https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/ - webarchive
• https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0637
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Babuk - S0638

Babuk is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of Babuk employ a "Big Game Hunting" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: McAfee Babuk February 2021)(Citation: CyberScoop Babuk February 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Babuk - S0638.

Known Synonyms
Babuk
Babyk
Vasa Locker

Internal MISP references

UUID 61c7a91a-0b83-461d-ad32-75d96eed4a09 which can be used as unique global reference for Babuk - S0638 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0638 - webarchive
• https://www.cyberscoop.com/babuk-ransomware-serco-attack/ - webarchive
• https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf - webarchive
• https://www.sogeti.com/globalassets/reports/cybersecchronicles_-_babuk.pdf - webarchive
• https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0638
mitre_platforms	['Windows', 'Linux']

Related clusters

To see the related clusters, click here.

NotPetya - S0368

NotPetya is malware that was used by Sandworm Team in a worldwide attack starting on June 27, 2017. While NotPetya appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: ESET Telebots June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NotPetya - S0368.

Known Synonyms
Diskcoder.C
ExPetr
GoldenEye
NotPetya
Nyetya
Petrwrap

Internal MISP references

UUID 5719af9d-6b16-46f9-9b28-fb019541ddbb which can be used as unique global reference for NotPetya - S0368 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0368 - webarchive
• https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html - webarchive
• https://www.justice.gov/opa/press-release/file/1328521/download - webarchive
• https://www.us-cert.gov/ncas/alerts/TA17-181A - webarchive
• https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0368
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Ursnif - S0386

Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, Spearphishing Attachments, and malicious links.(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016) Ursnif is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.(Citation: TrendMicro Ursnif Mar 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ursnif - S0386.

Known Synonyms
Dreambot
Gozi-ISFB
PE_URSNIF
Ursnif

Internal MISP references

UUID 1492d0f8-7e14-4af3-9239-bc3fe10d3407 which can be used as unique global reference for Ursnif - S0386 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0386 - webarchive
• https://web.archive.org/web/20210719165945/https://www.trendmicro.com/en_us/research/15/c/ursnif-the-multifaceted-malware.html?_ga=2.165628854.808042651.1508120821-744063452.1505819992 - webarchive
• https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif - webarchive
• https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html - webarchive
• https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality - webarchive

Associated metadata

Metadata key	Value
external_id	S0386
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

EvilBunny - S0396

EvilBunny is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.(Citation: Cyphort EvilBunny Dec 2014)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EvilBunny - S0396.

Known Synonyms
EvilBunny

Internal MISP references

UUID a8a778f5-0035-4870-bb25-53dc05029586 which can be used as unique global reference for EvilBunny - S0396 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0396 - webarchive
• https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0396
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

CoinTicker - S0369

CoinTicker is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CoinTicker - S0369.

Known Synonyms
CoinTicker

Internal MISP references

UUID d1531eaa-9e17-473e-a680-3298469662c3 which can be used as unique global reference for CoinTicker - S0369 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0369 - webarchive
• https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0369
mitre_platforms	['macOS']

Related clusters

To see the related clusters, click here.

CaddyWiper - S0693

CaddyWiper is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022.(Citation: ESET CaddyWiper March 2022)(Citation: Cisco CaddyWiper March 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CaddyWiper - S0693.

Known Synonyms
CaddyWiper

Internal MISP references

UUID b30d999d-64e0-4e35-9856-884e4b83d611 which can be used as unique global reference for CaddyWiper - S0693 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0693 - webarchive
• https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html - webarchive
• https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine - webarchive

Associated metadata

Metadata key	Value
external_id	S0693
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Ebury - S0377

Ebury is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).(Citation: ESET Ebury Feb 2014)(Citation: BleepingComputer Ebury March 2017)(Citation: ESET Ebury Oct 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ebury - S0377.

Known Synonyms
Ebury

Internal MISP references

UUID d6b3fcd0-1c86-4350-96f0-965ed02fcc51 which can be used as unique global reference for Ebury - S0377 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0377 - webarchive
• https://www.bleepingcomputer.com/news/security/russian-hacker-pleads-guilty-for-role-in-infamous-linux-ebury-malware/ - webarchive
• https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ - webarchive
• https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0377
mitre_platforms	['Linux']

Related clusters

To see the related clusters, click here.

KeyBoy - S0387

KeyBoy is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.(Citation: CitizenLab KeyBoy Nov 2016)(Citation: PWC KeyBoys Feb 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KeyBoy - S0387.

Known Synonyms
KeyBoy

Internal MISP references

UUID 5dd649c0-bca4-488b-bd85-b180474ec62e which can be used as unique global reference for KeyBoy - S0387 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0387 - webarchive
• https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/ - webarchive
• https://citizenlab.ca/2016/11/parliament-keyboy/ - webarchive
• https://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0387
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

LoJax - S0397

LoJax is a UEFI rootkit used by APT28 to persist remote access software on targeted systems.(Citation: ESET LoJax Sept 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LoJax - S0397.

Known Synonyms
LoJax

Internal MISP references

UUID b865dded-0553-4962-a44b-6fe7863effed which can be used as unique global reference for LoJax - S0397 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0397 - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0397
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

YAHOYAH - S0388

YAHOYAH is a Trojan used by Tropic Trooper as a second-stage backdoor.(Citation: TrendMicro TropicTrooper 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular YAHOYAH - S0388.

Known Synonyms
YAHOYAH

Internal MISP references

UUID cb444a16-3ea5-4a91-88c6-f329adcb8af3 which can be used as unique global reference for YAHOYAH - S0388 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0388 - webarchive
• https://documents.trendmicro.com/assets/wp/wp-operation-tropic-trooper.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0388
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

HyperBro - S0398

HyperBro is a custom in-memory backdoor used by Threat Group-3390.(Citation: Unit42 Emissary Panda May 2019)(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HyperBro - S0398.

Known Synonyms
HyperBro

Internal MISP references

UUID 5e814485-012d-423d-b769-026bfed0f451 which can be used as unique global reference for HyperBro - S0398 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0398 - webarchive
• https://securelist.com/luckymouse-hits-national-data-center/86083/ - webarchive
• https://thehackernews.com/2018/06/chinese-watering-hole-attack.html - webarchive
• https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0398
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

JCry - S0389

JCry is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.(Citation: Carbon Black JCry May 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular JCry - S0389.

Known Synonyms
JCry

Internal MISP references

UUID aaf3fa65-8b27-4e68-91de-2b7738fe4c82 which can be used as unique global reference for JCry - S0389 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0389 - webarchive
• https://www.carbonblack.com/2019/05/14/cb-tau-threat-intelligence-notification-jcry-ransomware-pretends-to-be-adobe-flash-player-update-installer/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0389

Related clusters

To see the related clusters, click here.

Pallas - S0399

Pallas is mobile surveillanceware that was custom-developed by Dark Caracal.(Citation: Lookout Dark Caracal Jan 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pallas - S0399.

Known Synonyms
Pallas

Internal MISP references

UUID c41a8b7c-3e42-4eee-b87d-ad8a100ee878 which can be used as unique global reference for Pallas - S0399 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0399 - webarchive
• https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0399
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

ShimRat - S0444

ShimRat has been used by the suspected China-based adversary Mofang in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name "ShimRat" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. (Citation: FOX-IT May 2016 Mofang)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ShimRat - S0444.

Known Synonyms
ShimRat

Internal MISP references

UUID 5763217a-05b6-4edd-9bca-057e47b5e403 which can be used as unique global reference for ShimRat - S0444 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0444 - webarchive
• https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0444
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

HenBox - S0544

HenBox is Android malware that attempts to only execute on Xiaomi devices running the MIUI operating system. HenBox has primarily been used to target Uyghurs, a minority Turkic ethnic group.(Citation: Palo Alto HenBox)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HenBox - S0544.

Known Synonyms
HenBox

Internal MISP references

UUID aef537ba-10c2-40ed-a57a-80b8508aada4 which can be used as unique global reference for HenBox - S0544 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0544 - webarchive
• https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0544
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Cadelspy - S0454

Cadelspy is a backdoor that has been used by APT39.(Citation: Symantec Chafer Dec 2015)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cadelspy - S0454.

Known Synonyms
Cadelspy

Internal MISP references

UUID a705b085-1eae-455e-8f4d-842483d814eb which can be used as unique global reference for Cadelspy - S0454 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0454 - webarchive
• https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets - webarchive

Associated metadata

Metadata key	Value
external_id	S0454
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

ObliqueRAT - S0644

ObliqueRAT is a remote access trojan, similar to Crimson, that has been in use by Transparent Tribe since at least 2020.(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ObliqueRAT - S0644.

Known Synonyms
ObliqueRAT

Internal MISP references

UUID 5864e59f-eb4c-43ad-83b2-b5e4fae056c9 which can be used as unique global reference for ObliqueRAT - S0644 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0644 - webarchive
• https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html - webarchive
• https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0644
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SYSCON - S0464

SYSCON is a backdoor that has been in use since at least 2017 and has been associated with campaigns involving North Korean themes. SYSCON has been delivered by the CARROTBALL and CARROTBAT droppers.(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SYSCON - S0464.

Known Synonyms
SYSCON

Internal MISP references

UUID edf5aee2-9b1c-4252-8e64-25b12f14c8b3 which can be used as unique global reference for SYSCON - S0464 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0464 - webarchive
• https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/ - webarchive
• https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0464
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Ryuk - S0446

Ryuk is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. Ryuk shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ryuk - S0446.

Known Synonyms
Ryuk

Internal MISP references

UUID a020a61c-423f-4195-8c46-ba1d21abba37 which can be used as unique global reference for Ryuk - S0446 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0446 - webarchive
• https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/ - webarchive
• https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ - webarchive
• https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html - webarchive
• https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0446
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Lokibot - S0447

Lokibot is a widely distributed information stealer that was first reported in 2015. It is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. Lokibot can also create a backdoor into infected systems to allow an attacker to install additional payloads.(Citation: Infoblox Lokibot January 2019)(Citation: Morphisec Lokibot April 2020)(Citation: CISA Lokibot September 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lokibot - S0447.

Known Synonyms
Lokibot

Internal MISP references

UUID cb741463-f0fe-42e0-8d45-bc7e8335f5ae which can be used as unique global reference for Lokibot - S0447 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0447 - webarchive
• https://blog.morphisec.com/lokibot-with-autoit-obfuscator-frenchy-shellcode - webarchive
• https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html - webarchive
• https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--22 - webarchive
• https://us-cert.cisa.gov/ncas/alerts/aa20-266a - webarchive

Associated metadata

Metadata key	Value
external_id	S0447
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Carberp - S0484

Carberp is a credential and information stealing malware that has been active since at least 2009. Carberp's source code was leaked online in 2013, and subsequently used as the foundation for the Carbanak backdoor.(Citation: Trend Micro Carberp February 2014)(Citation: KasperskyCarbanak)(Citation: RSA Carbanak November 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Carberp - S0484.

Known Synonyms
Carberp

Internal MISP references

UUID bbcd7a02-ef24-4171-ac94-a93540173b94 which can be used as unique global reference for Carberp - S0484 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0484 - webarchive
• https://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/ - webarchive
• https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf - webarchive
• https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/carberp - webarchive

Associated metadata

Metadata key	Value
external_id	S0484
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Maze - S0449

Maze ransomware, previously known as "ChaCha", was discovered in May 2019. In addition to encrypting files on victim machines for impact, Maze operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.(Citation: FireEye Maze May 2020)(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Maze - S0449.

Known Synonyms
Maze

Internal MISP references

UUID d9f7383c-95ec-4080-bbce-121c9384457b which can be used as unique global reference for Maze - S0449 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0449 - webarchive
• https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/ - webarchive
• https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html - webarchive
• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0449
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Zen - S0494

Zen is Android malware that was first seen in 2013.(Citation: Google Security Zen)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zen - S0494.

Known Synonyms
Zen

Internal MISP references

UUID 22faaa56-a8ac-4292-9be6-b571b255ee40 which can be used as unique global reference for Zen - S0494 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0494 - webarchive
• https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0494
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

TERRACOTTA - S0545

TERRACOTTA is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.(Citation: WhiteOps TERRACOTTA)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TERRACOTTA - S0545.

Known Synonyms
TERRACOTTA

Internal MISP references

UUID e296b110-46d3-4f7a-894c-cc71ea50168c which can be used as unique global reference for TERRACOTTA - S0545 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0545 - webarchive
• https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study - webarchive

Associated metadata

Metadata key	Value
external_id	S0545
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Egregor - S0554

Egregor is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between Egregor and Sekhmet ransomware, as well as Maze ransomware.(Citation: NHS Digital Egregor Nov 2020)(Citation: Cyble Egregor Oct 2020)(Citation: Security Boulevard Egregor Oct 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Egregor - S0554.

Known Synonyms
Egregor

Internal MISP references

UUID cc4c1287-9c86-4447-810c-744f3880ec37 which can be used as unique global reference for Egregor - S0554 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0554 - webarchive
• https://cybleinc.com/2020/10/31/egregor-ransomware-a-deep-dive-into-its-activities-and-techniques/ - webarchive
• https://digital.nhs.uk/cyber-alerts/2020/cc-3681#summary - webarchive
• https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0554
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Metamorfo - S0455

Metamorfo is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting banks and cryptocurrency services in Brazil and Mexico.(Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Metamorfo - S0455.

Known Synonyms
Casbaneiro
Metamorfo

Internal MISP references

UUID 81c57a96-fc8c-4f91-af8e-63e24c2927c2 which can be used as unique global reference for Metamorfo - S0455 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0455 - webarchive
• https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767 - webarchive
• https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0455
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BlackMould - S0564

BlackMould is a web shell based on China Chopper for servers running Microsoft IIS. First reported in December 2019, it has been used in malicious campaigns by GALLIUM against telecommunication providers.(Citation: Microsoft GALLIUM December 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BlackMould - S0564.

Known Synonyms
BlackMould

Internal MISP references

UUID 63c4511b-2d6e-4bb2-b582-e2e99a8a467d which can be used as unique global reference for BlackMould - S0564 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0564 - webarchive
• https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0564
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

ProLock - S0654

ProLock is a ransomware strain that has been used in Big Game Hunting (BGH) operations since at least 2020, often obtaining initial access with QakBot. ProLock is the successor to PwndLocker ransomware which was found to contain a bug allowing decryption without ransom payment in 2019.(Citation: Group IB Ransomware September 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ProLock - S0654.

Known Synonyms
ProLock

Internal MISP references

UUID 471d0e9f-2c8a-4e4b-8f3b-f85d2407806e which can be used as unique global reference for ProLock - S0654 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0654 - webarchive
• https://groupib.pathfactory.com/ransomware-reports/prolock_wp - webarchive

Associated metadata

Metadata key	Value
external_id	S0654
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SharpStage - S0546

SharpStage is a .NET malware with backdoor capabilities.(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SharpStage - S0546.

Known Synonyms
SharpStage

Internal MISP references

UUID 0ba9281c-93fa-4b29-8e9e-7ef918c7b13a which can be used as unique global reference for SharpStage - S0546 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0546 - webarchive
• https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/ - webarchive
• https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0546
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BendyBear - S0574

BendyBear is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server. First discovered in August 2020, BendyBear shares a variety of features with Waterbear, malware previously attributed to the Chinese cyber espionage group BlackTech.(Citation: Unit42 BendyBear Feb 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BendyBear - S0574.

Known Synonyms
BendyBear

Internal MISP references

UUID 805480f1-6caa-4a67-8ca9-b2b39650d986 which can be used as unique global reference for BendyBear - S0574 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0574 - webarchive
• https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0574
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BackConfig - S0475

BackConfig is a custom Trojan with a flexible plugin architecture that has been used by Patchwork.(Citation: Unit 42 BackConfig May 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BackConfig - S0475.

Known Synonyms
BackConfig

Internal MISP references

UUID c13d9621-aca7-436b-ab3d-3a95badb3d00 which can be used as unique global reference for BackConfig - S0475 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0475 - webarchive
• https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0475
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

DropBook - S0547

DropBook is a Python-based backdoor compiled with PyInstaller.(Citation: Cybereason Molerats Dec 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DropBook - S0547.

Known Synonyms
DropBook

Internal MISP references

UUID 3ae6097d-d700-46c6-8b21-42fc0bcb48fa which can be used as unique global reference for DropBook - S0547 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0547 - webarchive
• https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/ - webarchive
• https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0547
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Netwalker - S0457

Netwalker is fileless ransomware written in PowerShell and executed directly in memory.(Citation: TrendMicro Netwalker May 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Netwalker - S0457.

Known Synonyms
Netwalker

Internal MISP references

UUID 754effde-613c-4244-a83e-fb659b2a4d06 which can be used as unique global reference for Netwalker - S0457 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0457 - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0457
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

AppleJeus - S0584

AppleJeus is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. AppleJeus has been used by Lazarus Group, targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. AppleJeus has been used to distribute the FALLCHILL RAT.(Citation: CISA AppleJeus Feb 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AppleJeus - S0584.

Known Synonyms
AppleJeus

Internal MISP references

UUID e2d34c63-6f5a-41f5-86a2-e2380f27f858 which can be used as unique global reference for AppleJeus - S0584 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0584 - webarchive
• https://us-cert.cisa.gov/ncas/alerts/aa21-048a - webarchive

Associated metadata

Metadata key	Value
external_id	S0584
mitre_platforms	['Windows', 'macOS']

Related clusters

To see the related clusters, click here.

Mandrake - S0485

Mandrake is a sophisticated Android espionage platform that has been active in the wild since at least 2016. Mandrake is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.

Mandrake has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.(Citation: Bitdefender Mandrake)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mandrake - S0485.

Known Synonyms
Mandrake
briar
darkmatter
oxide
ricinus

Internal MISP references

UUID 52c994fa-b6c8-45a8-9586-a4275cf19307 which can be used as unique global reference for Mandrake - S0485 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0485 - webarchive
• https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0485
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Ramsay - S0458

Ramsay is an information stealing malware framework designed to collect and exfiltrate sensitive documents, including from air-gapped systems. Researchers have identified overlaps between Ramsay and the Darkhotel-associated Retro malware.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ramsay - S0458.

Known Synonyms
Ramsay

Internal MISP references

UUID ba09b86c-1c40-4ff1-bda0-0d8c4ca35997 which can be used as unique global reference for Ramsay - S0458 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0458 - webarchive
• https://www.programmersought.com/article/62493896999/ - webarchive
• https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0458
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

RDAT - S0495

RDAT is a backdoor used by the suspected Iranian threat group OilRig. RDAT was originally identified in 2017 and targeted companies in the telecommunications sector.(Citation: Unit42 RDAT July 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RDAT - S0495.

Known Synonyms
RDAT

Internal MISP references

UUID 4b346d12-7f91-48d2-8f06-b26ffa0d825b which can be used as unique global reference for RDAT - S0495 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0495 - webarchive
• https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0495
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SilkBean - S0549

SilkBean is a piece of Android surveillanceware containing comprehensive remote access tool (RAT) functionality that has been used in targeting of the Uyghur ethnic group.(Citation: Lookout Uyghur Campaign)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SilkBean - S0549.

Known Synonyms
SilkBean

Internal MISP references

UUID ddbe5657-e21e-4a89-8221-2f1362d397ec which can be used as unique global reference for SilkBean - S0549 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0549 - webarchive
• https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0549
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

MechaFlounder - S0459

MechaFlounder is a python-based remote access tool (RAT) that has been used by APT39. The payload uses a combination of actor developed code and code snippets freely available online in development communities.(Citation: Unit 42 MechaFlounder March 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MechaFlounder - S0459.

Known Synonyms
MechaFlounder

Internal MISP references

UUID dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2 which can be used as unique global reference for MechaFlounder - S0459 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0459 - webarchive
• https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0459
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SpicyOmelette - S0646

SpicyOmelette is a JavaScript based remote access tool that has been used by Cobalt Group since at least 2018.(Citation: Secureworks GOLD KINGSWOOD September 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SpicyOmelette - S0646.

Known Synonyms
SpicyOmelette

Internal MISP references

UUID 599cd7b5-37b5-4cdd-8174-2811531ce9d0 which can be used as unique global reference for SpicyOmelette - S0646 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0646 - webarchive
• https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish - webarchive

Associated metadata

Metadata key	Value
external_id	S0646
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Pandora - S0664

Pandora is a multistage kernel rootkit with backdoor functionality that has been in use by Threat Group-3390 since at least 2020.(Citation: Trend Micro Iron Tiger April 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pandora - S0664.

Known Synonyms
Pandora

Internal MISP references

UUID a545456a-f9a7-47ad-9ea6-8b017def38d1 which can be used as unique global reference for Pandora - S0664 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0664 - webarchive
• https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0664
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

WindTail - S0466

WindTail is a macOS surveillance implant used by Windshift. WindTail shares code similarities with Hack Back aka KitM OSX.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WindTail - S0466.

Known Synonyms
WindTail

Internal MISP references

UUID 0d1f9f5b-11ea-42c3-b5f4-63cce0122541 which can be used as unique global reference for WindTail - S0466 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0466 - webarchive
• https://objective-see.com/blog/blog_0x3B.html - webarchive
• https://objective-see.com/blog/blog_0x3D.html - webarchive
• https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0466
mitre_platforms	['macOS']

Related clusters

To see the related clusters, click here.

CharmPower - S0674

CharmPower is a PowerShell-based, modular backdoor that has been used by Magic Hound since at least 2022.(Citation: Check Point APT35 CharmPower January 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CharmPower - S0674.

Known Synonyms
CharmPower

Internal MISP references

UUID 7acb15b6-fe2c-4319-b136-6ab36ff0b2d4 which can be used as unique global reference for CharmPower - S0674 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0674 - webarchive
• https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0674
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

TajMahal - S0467

TajMahal is a multifunctional spying framework that has been in use since at least 2014. TajMahal is comprised of two separate packages, named Tokyo and Yokohama, and can deploy up to 80 plugins.(Citation: Kaspersky TajMahal April 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TajMahal - S0467.

Known Synonyms
TajMahal

Internal MISP references

UUID b51797f7-57da-4210-b8ac-b8632ee75d70 which can be used as unique global reference for TajMahal - S0467 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0467 - webarchive
• https://securelist.com/project-tajmahal/90240/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0467
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Turian - S0647

Turian is a backdoor that has been used by BackdoorDiplomacy to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, Turian is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.(Citation: ESET BackdoorDiplomacy Jun 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Turian - S0647.

Known Synonyms
Turian

Internal MISP references

UUID 350f12cf-fd3b-4dad-b323-14b943090df4 which can be used as unique global reference for Turian - S0647 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0647 - webarchive
• https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0647
mitre_platforms	['Windows', 'Linux']

Related clusters

To see the related clusters, click here.

Valak - S0476

Valak is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Valak - S0476.

Known Synonyms
Valak

Internal MISP references

UUID ade37ada-14af-4b44-b36c-210eec255d53 which can be used as unique global reference for Valak - S0476 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0476 - webarchive
• https://unit42.paloaltonetworks.com/valak-evolution/ - webarchive
• https://www.cybereason.com/blog/valak-more-than-meets-the-eye - webarchive

Associated metadata

Metadata key	Value
external_id	S0476
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Bonadan - S0486

Bonadan is a malicious version of OpenSSH which acts as a custom backdoor. Bonadan has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.(Citation: ESET ForSSHe December 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bonadan - S0486.

Known Synonyms
Bonadan

Internal MISP references

UUID 4c6d62c2-89f5-4159-8fab-0190b1f9d328 which can be used as unique global reference for Bonadan - S0486 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0486 - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0486
mitre_platforms	['Linux']

Related clusters

To see the related clusters, click here.

Skidmap - S0468

Skidmap is a kernel-mode rootkit used for cryptocurrency mining.(Citation: Trend Micro Skidmap)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Skidmap - S0468.

Known Synonyms
Skidmap

Internal MISP references

UUID 4b68b5ea-2e1b-4225-845b-8632f702b9a0 which can be used as unique global reference for Skidmap - S0468 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0468 - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0468
mitre_platforms	['Linux']

Related clusters

To see the related clusters, click here.

ABK - S0469

ABK is a downloader that has been used by BRONZE BUTLER since at least 2019.(Citation: Trend Micro Tick November 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ABK - S0469.

Known Synonyms
ABK

Internal MISP references

UUID a0ebedca-d558-4e48-8ff7-4bf76208d90c which can be used as unique global reference for ABK - S0469 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0469 - webarchive
• https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0469
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SMOKEDHAM - S0649

SMOKEDHAM is a Powershell-based .NET backdoor that was first reported in May 2021; it has been used by at least one ransomware-as-a-service affiliate.(Citation: FireEye Shining A Light on DARKSIDE May 2021)(Citation: FireEye SMOKEDHAM June 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SMOKEDHAM - S0649.

Known Synonyms
SMOKEDHAM

Internal MISP references

UUID 7e0f8b0f-716e-494d-827e-310bd6ed709e which can be used as unique global reference for SMOKEDHAM - S0649 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0649 - webarchive
• https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html - webarchive
• https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0649
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

DRATzarus - S0694

DRATzarus is a remote access tool (RAT) that has been used by Lazarus Group to target the defense and aerospace organizations globally since at least summer 2020. DRATzarus shares similarities with Bankshot, which was used by Lazarus Group in 2017 to target the Turkish financial sector.(Citation: ClearSky Lazarus Aug 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DRATzarus - S0694.

Known Synonyms
DRATzarus

Internal MISP references

UUID 56aa3c82-ed40-4b5a-84bf-7231356d9e96 which can be used as unique global reference for DRATzarus - S0694 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0694 - webarchive
• https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0694
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

REvil - S0496

REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular REvil - S0496.

Known Synonyms
REvil
Sodin
Sodinokibi

Internal MISP references

UUID ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5 which can be used as unique global reference for REvil - S0496 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0496 - webarchive
• https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html - webarchive
• https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/ - webarchive
• https://securelist.com/sodin-ransomware/91473/ - webarchive
• https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html - webarchive
• https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data - webarchive
• https://www.group-ib.com/whitepapers/ransomware-uncovered.html - webarchive
• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/ - webarchive
• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/ - webarchive
• https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware - webarchive
• https://www.secureworks.com/blog/revil-the-gandcrab-connection - webarchive
• https://www.secureworks.com/research/revil-sodinokibi-ransomware - webarchive
• https://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis - webarchive

Associated metadata

Metadata key	Value
external_id	S0496
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Goopy - S0477

Goopy is a Windows backdoor and Trojan used by APT32 and shares several similarities to another backdoor used by the group (Denis). Goopy is named for its impersonation of the legitimate Google Updater executable.(Citation: Cybereason Cobalt Kitty 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Goopy - S0477.

Known Synonyms
Goopy

Internal MISP references

UUID eac3d77f-2b7b-4599-ba74-948dc16633ad which can be used as unique global reference for Goopy - S0477 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0477 - webarchive
• https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0477
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

EventBot - S0478

EventBot is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications.(Citation: Cybereason EventBot) EventBot was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.(Citation: Cybereason EventBot)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EventBot - S0478.

Known Synonyms
EventBot

Internal MISP references

UUID aecc0097-c9f8-4786-9b39-e891ff173f54 which can be used as unique global reference for EventBot - S0478 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0478 - webarchive
• https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born - webarchive

Associated metadata

Metadata key	Value
external_id	S0478
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Kessel - S0487

Kessel is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. Kessel has been active since its C2 domain began resolving in August 2018.(Citation: ESET ForSSHe December 2018)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kessel - S0487.

Known Synonyms
Kessel

Internal MISP references

UUID c984b414-b766-44c5-814a-2fe96c913c12 which can be used as unique global reference for Kessel - S0487 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0487 - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0487
mitre_platforms	['Linux']

Related clusters

To see the related clusters, click here.

Dacls - S0497

Dacls is a multi-platform remote access tool used by Lazarus Group since at least December 2019.(Citation: TrendMicro macOS Dacls May 2020)(Citation: SentinelOne Lazarus macOS July 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dacls - S0497.

Known Synonyms
Dacls

Internal MISP references

UUID 3aa169f8-bbf6-44bb-b57d-7f6ada5c2128 which can be used as unique global reference for Dacls - S0497 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0497 - webarchive
• https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/ - webarchive
• https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0497
mitre_platforms	['macOS', 'Linux', 'Windows']

Related clusters

To see the related clusters, click here.

WolfRAT - S0489

WolfRAT is malware based on a leaked version of Dendroid that has primarily targeted Thai users. WolfRAT has most likely been operated by the now defunct organization Wolf Research.(Citation: Talos-WolfRAT)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WolfRAT - S0489.

Known Synonyms
WolfRAT

Internal MISP references

UUID dfdac962-9461-47f0-a212-36dfce2a97e6 which can be used as unique global reference for WolfRAT - S0489 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0489 - webarchive
• https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0489
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Cryptoistic - S0498

Cryptoistic is a backdoor, written in Swift, that has been used by Lazarus Group.(Citation: SentinelOne Lazarus macOS July 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cryptoistic - S0498.

Known Synonyms
Cryptoistic

Internal MISP references

UUID a04d9a4c-bb52-40bf-98ec-e350c2d6a862 which can be used as unique global reference for Cryptoistic - S0498 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0498 - webarchive
• https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0498
mitre_platforms	['macOS']

Related clusters

To see the related clusters, click here.

Hancitor - S0499

Hancitor is a downloader that has been used by Pony and other information stealing malware.(Citation: Threatpost Hancitor)(Citation: FireEye Hancitor)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hancitor - S0499.

Known Synonyms
Chanitor
Hancitor

Internal MISP references

UUID ef2247bf-8062-404b-894f-d65d00564817 which can be used as unique global reference for Hancitor - S0499 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0499 - webarchive
• https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/ - webarchive
• https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0499
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

CHEMISTGAMES - S0555

CHEMISTGAMES is a modular backdoor that has been deployed by Sandworm Team.(Citation: CYBERWARCON CHEMISTGAMES)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CHEMISTGAMES - S0555.

Known Synonyms
CHEMISTGAMES

Internal MISP references

UUID a0d774e4-bafc-4292-8651-3ec899391341 which can be used as unique global reference for CHEMISTGAMES - S0555 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0555 - webarchive
• https://www.youtube.com/watch?v=xoNSbm1aX_w - webarchive

Associated metadata

Metadata key	Value
external_id	S0555
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

BusyGasper - S0655

BusyGasper is Android spyware that has been in use since May 2016. There have been less than 10 victims, all who appear to be located in Russia, that were all infected via physical access to the device.(Citation: SecureList BusyGasper)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BusyGasper - S0655.

Known Synonyms
BusyGasper

Internal MISP references

UUID e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4 which can be used as unique global reference for BusyGasper - S0655 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0655 - webarchive
• https://securelist.com/busygasper-the-unfriendly-spy/87627/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0655
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Raindrop - S0565

Raindrop is a loader used by APT29 that was discovered on some victim machines during investigations related to the SolarWinds Compromise. It was discovered in January 2021 and was likely used since at least May 2020.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Raindrop - S0565.

Known Synonyms
Raindrop

Internal MISP references

UUID 4efc3e00-72f2-466a-ab7c-8a7dc6603b19 which can be used as unique global reference for Raindrop - S0565 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0565 - webarchive
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware - webarchive
• https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0565
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Conti - S0575

Conti is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. Conti has been deployed via TrickBot and used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using Conti steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.(Citation: Cybereason Conti Jan 2021)(Citation: CarbonBlack Conti July 2020)(Citation: Cybleinc Conti January 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Conti - S0575.

Known Synonyms
Conti

Internal MISP references

UUID 4dea7d8e-af94-4bfb-afe4-7ff54f59308b which can be used as unique global reference for Conti - S0575 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0575 - webarchive
• https://cybleinc.com/2021/01/21/conti-ransomware-resurfaces-targeting-government-large-organizations/ - webarchive
• https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/ - webarchive
• https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware - webarchive

Associated metadata

Metadata key	Value
external_id	S0575
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Kerrdown - S0585

Kerrdown is a custom downloader that has been used by APT32 since at least 2018 to install spyware from a server on the victim's network.(Citation: Amnesty Intl. Ocean Lotus February 2021)(Citation: Unit 42 KerrDown February 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kerrdown - S0585.

Known Synonyms
Kerrdown

Internal MISP references

UUID 8c1d01ff-fdc0-4586-99bd-c248e0761af5 which can be used as unique global reference for Kerrdown - S0585 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0585 - webarchive
• https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/ - webarchive
• https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0585
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

SUNBURST - S0559

SUNBURST is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by APT29 since at least February 2020.(Citation: SolarWinds Sunburst Sunspot Update January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SUNBURST - S0559.

Known Synonyms
SUNBURST
Solorigate

Internal MISP references

UUID a8839c95-029f-44cf-8f3d-a3cf2039e927 which can be used as unique global reference for SUNBURST - S0559 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0559 - webarchive
• https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/ - webarchive
• https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - webarchive
• https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0559
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

ThiefQuest - S0595

ThiefQuest is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. ThiefQuest was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links.(Citation: Reed thiefquest fake ransom) Even though ThiefQuest presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.(Citation: wardle evilquest partii)(Citation: reed thiefquest ransomware analysis)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ThiefQuest - S0595.

Known Synonyms
EvilQuest
MacRansom.K
ThiefQuest

Internal MISP references

UUID 727afb95-3d0f-4451-b297-362a43909923 which can be used as unique global reference for ThiefQuest - S0595 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0595 - webarchive
• https://blog.malwarebytes.com/detections/osx-thiefquest/ - webarchive
• https://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/ - webarchive
• https://objective-see.com/blog/blog_0x60.html - webarchive
• https://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0595
mitre_platforms	['macOS']

Related clusters

To see the related clusters, click here.

ThreatNeedle - S0665

ThreatNeedle is a backdoor that has been used by Lazarus Group since at least 2019 to target cryptocurrency, defense, and mobile gaming organizations. It is considered to be an advanced cluster of Lazarus Group's Manuscrypt (a.k.a. NukeSped) malware family.(Citation: Kaspersky ThreatNeedle Feb 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ThreatNeedle - S0665.

Known Synonyms
ThreatNeedle

Internal MISP references

UUID 16040b1c-ed28-4850-9d8f-bb8b81c42092 which can be used as unique global reference for ThreatNeedle - S0665 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0665 - webarchive
• https://securelist.com/lazarus-threatneedle/100803/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0665
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

BLUELIGHT - S0657

BLUELIGHT is a remote access Trojan used by APT37 that was first observed in early 2021.(Citation: Volexity InkySquid BLUELIGHT August 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BLUELIGHT - S0657.

Known Synonyms
BLUELIGHT

Internal MISP references

UUID 8bd47506-29ae-44ea-a5c1-c57e8a1ab6b0 which can be used as unique global reference for BLUELIGHT - S0657 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0657 - webarchive
• https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0657
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

MegaCortex - S0576

MegaCortex is ransomware that first appeared in May 2019. (Citation: IBM MegaCortex) MegaCortex has mainly targeted industrial organizations. (Citation: FireEye Ransomware Disrupt Industrial Production)(Citation: FireEye Financial Actors Moving into OT)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MegaCortex - S0576.

Known Synonyms
MegaCortex

Internal MISP references

UUID 909617c3-6d87-4330-8f32-bd3af38c3b92 which can be used as unique global reference for MegaCortex - S0576 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0576 - webarchive
• https://securityintelligence.com/posts/from-mega-to-giga-cross-version-comparison-of-top-megacortex-modifications/ - webarchive
• https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html - webarchive
• https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0576
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Dtrack - S0567

Dtrack is spyware that was discovered in 2019 and has been used against Indian financial institutions, research facilities, and the Kudankulam Nuclear Power Plant. Dtrack shares similarities with the DarkSeoul campaign, which was attributed to Lazarus Group. (Citation: Kaspersky Dtrack)(Citation: Securelist Dtrack)(Citation: Dragos WASSONITE)(Citation: CyberBit Dtrack)(Citation: ZDNet Dtrack)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dtrack - S0567.

Known Synonyms
Dtrack

Internal MISP references

UUID f8774023-8021-4ece-9aca-383ac89d2759 which can be used as unique global reference for Dtrack - S0567 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0567 - webarchive
• https://securelist.com/my-name-is-dtrack/93338/ - webarchive
• https://usa.kaspersky.com/about/press-releases/2019_dtrack-previously-unknown-spy-tool-hits-financial-institutions-and-research-centers - webarchive
• https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/ - webarchive
• https://www.dragos.com/threat/wassonite/ - webarchive
• https://www.zdnet.com/article/confirmed-north-korean-malware-found-on-indian-nuclear-plants-network/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0567
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

TAINTEDSCRIBE - S0586

TAINTEDSCRIBE is a fully-featured beaconing implant integrated with command modules used by Lazarus Group. It was first reported in May 2020.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TAINTEDSCRIBE - S0586.

Known Synonyms
TAINTEDSCRIBE

Internal MISP references

UUID 7f4bbe05-1674-4087-8a16-8f1ad61b6152 which can be used as unique global reference for TAINTEDSCRIBE - S0586 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0586 - webarchive
• https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133b - webarchive

Associated metadata

Metadata key	Value
external_id	S0586
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

XCSSET - S0658

XCSSET is a macOS modular backdoor that targets Xcode application developers. XCSSET was first observed in August 2020 and has been used to install a backdoor component, modify browser applications, conduct collection, and provide ransomware-like encryption capabilities.(Citation: trendmicro xcsset xcode project 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XCSSET - S0658.

Known Synonyms
OSX.DubRobber
XCSSET

Internal MISP references

UUID e14085cb-0e8d-4be6-92ba-e3b93ee5978f which can be used as unique global reference for XCSSET - S0658 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0658 - webarchive
• https://blog.malwarebytes.com/detections/osx-dubrobber/ - webarchive
• https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0658
mitre_platforms	['macOS']

Related clusters

To see the related clusters, click here.

EVILNUM - S0568

EVILNUM is fully capable backdoor that was first identified in 2018. EVILNUM is used by the APT group Evilnum which has the same name.(Citation: ESET EvilNum July 2020)(Citation: Prevailion EvilNum May 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EVILNUM - S0568.

Known Synonyms
EVILNUM

Internal MISP references

UUID 7cdfccda-2950-4167-981a-60872ff5d0db which can be used as unique global reference for EVILNUM - S0568 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0568 - webarchive
• https://www.prevailion.com/phantom-in-the-command-shell-2/ - webarchive
• https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0568
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

PowerPunch - S0685

PowerPunch is a lightweight downloader that has been used by Gamaredon Group since at least 2021.(Citation: Microsoft Actinium February 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PowerPunch - S0685.

Known Synonyms
PowerPunch

Internal MISP references

UUID d52291b4-bb23-45a8-aef0-3dc7e986ba15 which can be used as unique global reference for PowerPunch - S0685 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0685 - webarchive
• https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0685
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Diavol - S0659

Diavol is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. The Diavol Ransomware-as-a Service (RaaS) program is managed by Wizard Spider and it has been observed being deployed by Bazar.(Citation: Fortinet Diavol July 2021)(Citation: FBI Flash Diavol January 2022)(Citation: DFIR Diavol Ransomware December 2021)(Citation: Microsoft Ransomware as a Service)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Diavol - S0659.

Known Synonyms
Diavol

Internal MISP references

UUID 4e9bdf9a-4957-47f6-87b3-c76898d3f623 which can be used as unique global reference for Diavol - S0659 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0659 - webarchive
• https://thedfirreport.com/2021/12/13/diavol-ransomware/ - webarchive
• https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider - webarchive
• https://www.ic3.gov/Media/News/2022/220120.pdf - webarchive
• https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0659
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Explosive - S0569

Explosive is a custom-made remote access tool used by the group Volatile Cedar. It was first identified in the wild in 2015.(Citation: CheckPoint Volatile Cedar March 2015)(Citation: ClearSky Lebanese Cedar Jan 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Explosive - S0569.

Known Synonyms
Explosive

Internal MISP references

UUID 6a21e3a4-5ffe-4581-af9a-6a54c7536f44 which can be used as unique global reference for Explosive - S0569 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0569 - webarchive
• https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf - webarchive
• https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0569
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

ShadowPad - S0596

ShadowPad is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by APT41, but has since been observed to be used by various Chinese threat activity groups. (Citation: Recorded Future RedEcho Feb 2021)(Citation: Securelist ShadowPad Aug 2017)(Citation: Kaspersky ShadowPad Aug 2017)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ShadowPad - S0596.

Known Synonyms
POISONPLUG.SHADOW
ShadowPad

Internal MISP references

UUID ec9e00dd-0313-4d5b-8105-c20aa47abffc which can be used as unique global reference for ShadowPad - S0596 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0596 - webarchive
• https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf - webarchive
• https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf - webarchive
• https://securelist.com/shadowpad-in-corporate-networks/81432/ - webarchive
• https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0596
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

FrozenCell - S0577

FrozenCell is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and Micropsia.(Citation: Lookout FrozenCell)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FrozenCell - S0577.

Known Synonyms
FrozenCell

Internal MISP references

UUID 96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62 which can be used as unique global reference for FrozenCell - S0577 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0577 - webarchive
• https://blog.lookout.com/frozencell-mobile-threat - webarchive

Associated metadata

Metadata key	Value
external_id	S0577
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

SUPERNOVA - S0578

SUPERNOVA is an in-memory web shell written in .NET C#. It was discovered in November 2020 during the investigation of APT29's SolarWinds cyber operation but determined to be unrelated. Subsequent analysis suggests SUPERNOVA may have been used by the China-based threat group SPIRAL.(Citation: Guidepoint SUPERNOVA Dec 2020)(Citation: Unit42 SUPERNOVA Dec 2020)(Citation: SolarWinds Advisory Dec 2020)(Citation: CISA Supernova Jan 2021)(Citation: Microsoft Analyzing Solorigate Dec 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SUPERNOVA - S0578.

Known Synonyms
SUPERNOVA

Internal MISP references

UUID b2b0b946-be0a-4a7f-9c32-a2e5211d1cd9 which can be used as unique global reference for SUPERNOVA - S0578 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0578 - webarchive
• https://unit42.paloaltonetworks.com/solarstorm-supernova/ - webarchive
• https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a - webarchive
• https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/ - webarchive
• https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/ - webarchive
• https://www.solarwinds.com/sa-overview/securityadvisory - webarchive

Associated metadata

Metadata key	Value
external_id	S0578
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Penquin - S0587

Penquin is a remote access trojan (RAT) with multiple versions used by Turla to target Linux systems since at least 2014.(Citation: Kaspersky Turla Penquin December 2014)(Citation: Leonardo Turla Penquin May 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Penquin - S0587.

Known Synonyms
Penquin
Penquin 2.0
Penquin_x64

Internal MISP references

UUID d18cb958-f4ad-4fb3-bb4f-e8994d206550 which can be used as unique global reference for Penquin - S0587 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0587 - webarchive
• https://securelist.com/the-penquin-turla-2/67962/ - webarchive
• https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0587
mitre_platforms	['Linux']

Related clusters

To see the related clusters, click here.

GoldFinder - S0597

GoldFinder is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. GoldFinder was discovered in early 2021 during an investigation into the SolarWinds Compromise by APT29.(Citation: MSTIC NOBELIUM Mar 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GoldFinder - S0597.

Known Synonyms
GoldFinder

Internal MISP references

UUID b7010785-699f-412f-ba49-524da6033c76 which can be used as unique global reference for GoldFinder - S0597 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0597 - webarchive
• https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0597
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Waterbear - S0579

Waterbear is modular malware attributed to BlackTech that has been used primarily for lateral movement, decrypting, and triggering payloads and is capable of hiding network behaviors.(Citation: Trend Micro Waterbear December 2019)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Waterbear - S0579.

Known Synonyms
Waterbear

Internal MISP references

UUID f3f1fbed-7e29-49cb-8579-4a378f858deb which can be used as unique global reference for Waterbear - S0579 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0579 - webarchive
• https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0579
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

GoldMax - S0588

GoldMax is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. GoldMax was discovered in early 2021 during the investigation into the SolarWinds Compromise, and has likely been used by APT29 since at least mid-2019. GoldMax uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)(Citation: CrowdStrike StellarParticle January 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GoldMax - S0588.

Known Synonyms
GoldMax
SUNSHUTTLE

Internal MISP references

UUID 5c747acd-47f0-4c5a-b9e5-213541fc01e0 which can be used as unique global reference for GoldMax - S0588 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0588 - webarchive
• https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/ - webarchive
• https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html - webarchive
• https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0588
mitre_platforms	['Windows', 'Linux']

Related clusters

To see the related clusters, click here.

Sibot - S0589

Sibot is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three Sibot variants in early 2021 during its investigation of APT29 and the SolarWinds Compromise.(Citation: MSTIC NOBELIUM Mar 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sibot - S0589.

Known Synonyms
Sibot

Internal MISP references

UUID 979adb5a-dc30-48f0-9e3d-9a26d866928c which can be used as unique global reference for Sibot - S0589 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0589 - webarchive
• https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0589
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Kinsing - S0599

Kinsing is Golang-based malware that runs a cryptocurrency miner and attempts to spread itself to other hosts in the victim environment. (Citation: Aqua Kinsing April 2020)(Citation: Sysdig Kinsing November 2020)(Citation: Aqua Security Cloud Native Threat Report June 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kinsing - S0599.

Known Synonyms
Kinsing

Internal MISP references

UUID d6e55656-e43f-411f-a7af-45df650471c5 which can be used as unique global reference for Kinsing - S0599 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0599 - webarchive
• https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability - webarchive
• https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation - webarchive
• https://sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0599
mitre_platforms	['Containers', 'Linux']

Related clusters

To see the related clusters, click here.

Gelsemium - S0666

Gelsemium is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. Gelsemium has been used by the Gelsemium group since at least 2014.(Citation: ESET Gelsemium June 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gelsemium - S0666.

Known Synonyms
Gelsemine
Gelsemium
Gelsenicine
Gelsevirine

Internal MISP references

UUID efa7c4d6-8e30-41d9-a8fd-26dc337f4a1b which can be used as unique global reference for Gelsemium - S0666 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0666 - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0666
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Chrommme - S0667

Chrommme is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with Gelsemium malware.(Citation: ESET Gelsemium June 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Chrommme - S0667.

Known Synonyms
Chrommme

Internal MISP references

UUID 579607c2-d046-40df-99ab-beb479c37a2a which can be used as unique global reference for Chrommme - S0667 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0667 - webarchive
• https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0667
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

QuietSieve - S0686

QuietSieve is an information stealer that has been used by Gamaredon Group since at least 2021.(Citation: Microsoft Actinium February 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QuietSieve - S0686.

Known Synonyms
QuietSieve

Internal MISP references

UUID 03eb4a05-6a02-43f6-afb7-3c7835501828 which can be used as unique global reference for QuietSieve - S0686 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0686 - webarchive
• https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0686
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

TinyTurla - S0668

TinyTurla is a backdoor that has been used by Turla against targets in the US, Germany, and Afghanistan since at least 2020.(Citation: Talos TinyTurla September 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TinyTurla - S0668.

Known Synonyms
TinyTurla

Internal MISP references

UUID 2a7c1bb7-cd12-456e-810d-ab3bf8457bab which can be used as unique global reference for TinyTurla - S0668 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0668 - webarchive
• https://blog.talosintelligence.com/2021/09/tinyturla.html - webarchive

Associated metadata

Metadata key	Value
external_id	S0668
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

KOCTOPUS - S0669

KOCTOPUS's batch variant is loader used by LazyScripter since 2018 to launch Octopus and Koadic and, in some cases, QuasarRAT. KOCTOPUS also has a VBA variant that has the same functionality as the batch version.(Citation: MalwareBytes LazyScripter Feb 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular KOCTOPUS - S0669.

Known Synonyms
KOCTOPUS

Internal MISP references

UUID df9b350b-d4f9-4e79-a826-75cc75fbc1eb which can be used as unique global reference for KOCTOPUS - S0669 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0669 - webarchive
• https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf - webarchive

Associated metadata

Metadata key	Value
external_id	S0669
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Flagpro - S0696

Flagpro is a Windows-based, first-stage downloader that has been used by BlackTech since at least October 2020. It has primarily been used against defense, media, and communications companies in Japan.(Citation: NTT Security Flagpro new December 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Flagpro - S0696.

Known Synonyms
Flagpro

Internal MISP references

UUID 592260fb-dd5c-4a30-8d99-106a0485be0d which can be used as unique global reference for Flagpro - S0696 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0696 - webarchive
• https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech - webarchive

Associated metadata

Metadata key	Value
external_id	S0696
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Torisma - S0678

Torisma is a second stage implant designed for specialized monitoring that has been used by Lazarus Group. Torisma was discovered during an investigation into the 2020 Operation North Star campaign that targeted the defense sector.(Citation: McAfee Lazarus Nov 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Torisma - S0678.

Known Synonyms
Torisma

Internal MISP references

UUID 0715560d-4299-4e84-9e20-6e80ab57e4f2 which can be used as unique global reference for Torisma - S0678 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0678 - webarchive
• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0678
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Ferocious - S0679

Ferocious is a first stage implant composed of VBS and PowerShell scripts that has been used by WIRTE since at least 2021.(Citation: Kaspersky WIRTE November 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ferocious - S0679.

Known Synonyms
Ferocious

Internal MISP references

UUID 73d08401-005f-4e1f-90b9-8f45d120879f which can be used as unique global reference for Ferocious - S0679 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0679 - webarchive
• https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044 - webarchive

Associated metadata

Metadata key	Value
external_id	S0679
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

HermeticWiper - S0697

HermeticWiper is a data wiper that has been used since at least early 2022, primarily against Ukraine with additional activity observed in Latvia and Lithuania. Some sectors targeted include government, financial, defense, aviation, and IT services.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Symantec Ukraine Wipers February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wiper February 2022)(Citation: Qualys Hermetic Wiper March 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HermeticWiper - S0697.

Known Synonyms
DriveSlayer
HermeticWiper
Trojan.Killdisk

Internal MISP references

UUID a0ab8a96-40c9-4483-8a54-3fafa6d6007a which can be used as unique global reference for HermeticWiper - S0697 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0697 - webarchive
• https://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware - webarchive
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia - webarchive
• https://www.cisa.gov/uscert/ncas/alerts/aa22-057a - webarchive
• https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/ - webarchive
• https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine - webarchive
• https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack - webarchive
• https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine - webarchive

Associated metadata

Metadata key	Value
external_id	S0697
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

Meteor - S0688

Meteor is a wiper that was used against Iranian government organizations, including Iranian Railways, the Ministry of Roads, and Urban Development systems, in July 2021. Meteor is likely a newer version of similar wipers called Stardust and Comet that were reportedly used by a group called "Indra" since at least 2019 against private companies in Syria.(Citation: Check Point Meteor Aug 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Meteor - S0688.

Known Synonyms
Meteor

Internal MISP references

UUID d79e7a60-5de9-448e-a074-f95d2d80f8d0 which can be used as unique global reference for Meteor - S0688 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0688 - webarchive
• https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0688
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

WhisperGate - S0689

WhisperGate is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.(Citation: Cybereason WhisperGate February 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Microsoft WhisperGate January 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WhisperGate - S0689.

Known Synonyms
WhisperGate

Internal MISP references

UUID 49fee0b0-390e-4bde-97f8-97ed46bd19b7 which can be used as unique global reference for WhisperGate - S0689 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0689 - webarchive
• https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/#whispergate-malware-family - webarchive
• https://www.cybereason.com/blog/cybereason-vs.-whispergate-wiper - webarchive
• https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ - webarchive

Associated metadata

Metadata key	Value
external_id	S0689
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

HermeticWizard - S0698

HermeticWizard is a worm that has been used to spread HermeticWiper in attacks against organizations in Ukraine since at least 2022.(Citation: ESET Hermetic Wizard March 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HermeticWizard - S0698.

Known Synonyms
HermeticWizard

Internal MISP references

UUID ff7ed9c1-dca3-4e62-9da6-72c5d388b8fa which can be used as unique global reference for HermeticWizard - S0698 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S0698 - webarchive
• https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine - webarchive

Associated metadata

Metadata key	Value
external_id	S0698
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

DarkGate - S1111

DarkGate first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named "DarkGate" by its author, DarkGate is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.(Citation: Ensilo Darkgate 2018) DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.(Citation: Trellix Darkgate 2023)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DarkGate - S1111.

Known Synonyms
DarkGate

Internal MISP references

UUID 6f6f67c9-556d-4459-95c2-78d272190e52 which can be used as unique global reference for DarkGate - S1111 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1111 - webarchive
• https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign - webarchive
• https://www.trellix.com/blogs/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1111
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

STEADYPULSE - S1112

STEADYPULSE is a web shell that infects targeted Pulse Secure VPN servers through modification of a legitimate Perl script that was used as early as 2020 including in activity against US Defense Industrial Base (DIB) entities.(Citation: Mandiant Pulse Secure Zero-Day April 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular STEADYPULSE - S1112.

Known Synonyms
STEADYPULSE

Internal MISP references

UUID ca0fead6-5277-427a-825b-42ff1fbe476e which can be used as unique global reference for STEADYPULSE - S1112 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1112 - webarchive
• https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day - webarchive

Associated metadata

Metadata key	Value
external_id	S1112
mitre_platforms	['Network']

Related clusters

To see the related clusters, click here.

RAPIDPULSE - S1113

RAPIDPULSE is a web shell that exists as a modification to a legitimate Pulse Secure file that has been used by APT5 since at least 2021.(Citation: Mandiant Pulse Secure Update May 2021)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RAPIDPULSE - S1113.

Known Synonyms
RAPIDPULSE

Internal MISP references

UUID 880f7b3e-ad27-4158-8b03-d44c9357950b which can be used as unique global reference for RAPIDPULSE - S1113 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1113 - webarchive
• https://www.mandiant.com/resources/blog/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices - webarchive

Associated metadata

Metadata key	Value
external_id	S1113
mitre_platforms	['Network', 'Linux']

Related clusters

To see the related clusters, click here.

ZIPLINE - S1114

ZIPLINE is a passive backdoor that was used during Cutting Edge on compromised Secure Connect VPNs for reverse shell and proxy functionality.(Citation: Mandiant Cutting Edge January 2024)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ZIPLINE - S1114.

Known Synonyms
ZIPLINE

Internal MISP references

UUID d9765cbd-4c88-4805-ba98-4c6ccb56b864 which can be used as unique global reference for ZIPLINE - S1114 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1114 - webarchive
• https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day - webarchive

Associated metadata

Metadata key	Value
external_id	S1114
mitre_platforms	['Network']

Related clusters

To see the related clusters, click here.

WIREFIRE - S1115

WIREFIRE is a web shell written in Python that exists as trojanized logic to the visits.py component of Ivanti Connect Secure VPN appliances. WIREFIRE was used during Cutting Edge for downloading files and command execution.(Citation: Mandiant Cutting Edge January 2024)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WIREFIRE - S1115.

Known Synonyms
GIFTEDVISITOR
WIREFIRE

Internal MISP references

UUID c93e3079-43fb-4d8d-9e99-db63d07eadc9 which can be used as unique global reference for WIREFIRE - S1115 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1115 - webarchive
• https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day - webarchive
• https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1115
mitre_platforms	['Network']

Related clusters

To see the related clusters, click here.

WARPWIRE - S1116

WARPWIRE is a Javascript credential stealer that targets plaintext passwords and usernames for exfiltration that was used during Cutting Edge to target Ivanti Connect Secure VPNs.(Citation: Mandiant Cutting Edge January 2024)(Citation: Mandiant Cutting Edge Part 2 January 2024)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WARPWIRE - S1116.

Known Synonyms
WARPWIRE

Internal MISP references

UUID a5818d36-e9b0-46da-842d-b727a5e36ea6 which can be used as unique global reference for WARPWIRE - S1116 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1116 - webarchive
• https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation - webarchive
• https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day - webarchive

Associated metadata

Metadata key	Value
external_id	S1116
mitre_platforms	['Network']

Related clusters

To see the related clusters, click here.

GLASSTOKEN - S1117

GLASSTOKEN is a custom web shell used by threat actors during Cutting Edge to execute commands on compromised Ivanti Secure Connect VPNs.(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GLASSTOKEN - S1117.

Known Synonyms
GLASSTOKEN

Internal MISP references

UUID 554e010d-726b-439d-9a1a-f60fff0cc109 which can be used as unique global reference for GLASSTOKEN - S1117 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1117 - webarchive
• https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1117
mitre_platforms	['Network']

Related clusters

To see the related clusters, click here.

BUSHWALK - S1118

BUSHWALK is a web shell written in Perl that was inserted into the legitimate querymanifest.cgi file on compromised Ivanti Connect Secure VPNs during Cutting Edge.(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Mandiant Cutting Edge Part 3 February 2024)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BUSHWALK - S1118.

Known Synonyms
BUSHWALK

Internal MISP references

UUID 29a0bb87-1162-4c83-9834-2a98a876051b which can be used as unique global reference for BUSHWALK - S1118 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1118 - webarchive
• https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence - webarchive
• https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation - webarchive

Associated metadata

Metadata key	Value
external_id	S1118
mitre_platforms	['Network']

Related clusters

To see the related clusters, click here.

LIGHTWIRE - S1119

LIGHTWIRE is a web shell written in Perl that was used during Cutting Edge to maintain access and enable command execution by imbedding into the legitimate compcheckresult.cgi component of Ivanti Secure Connect VPNs.(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Mandiant Cutting Edge January 2024)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LIGHTWIRE - S1119.

Known Synonyms
LIGHTWIRE

Internal MISP references

UUID 5dc9e8ec-9917-4de7-b8ab-16007899dd80 which can be used as unique global reference for LIGHTWIRE - S1119 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1119 - webarchive
• https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation - webarchive
• https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day - webarchive

Associated metadata

Metadata key	Value
external_id	S1119
mitre_platforms	['Network']

Related clusters

To see the related clusters, click here.

Mispadu - S1122

Mispadu is a banking trojan written in Delphi that was first observed in 2019 and uses a Malware-as-a-Service (MaaS) business model.(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: SCILabs Malteiro 2021) This malware is operated, managed, and sold by the Malteiro cybercriminal group.(Citation: SCILabs Malteiro 2021) Mispadu has mainly been used to target victims in Brazil and Mexico, and has also had confirmed operations throughout Latin America and Europe.(Citation: SCILabs Malteiro 2021)(Citation: SCILabs URSA/Mispadu Evolution 2023)(Citation: Segurança Informática URSA Sophisticated Loader 2020)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mispadu - S1122.

Known Synonyms
Mispadu

Internal MISP references

UUID 4e6464d2-69df-4e56-8d4c-1973f84d7b80 which can be used as unique global reference for Mispadu - S1122 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1122 - webarchive
• https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/ - webarchive
• https://blog.scilabs.mx/en/evolution-of-banking-trojan-ursa-mispadu/ - webarchive
• https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/ - webarchive
• https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1122
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

PITSTOP - S1123

PITSTOP is a backdoor that was deployed on compromised Ivanti Connect Secure VPNs during Cutting Edge to enable command execution and file read/write.(Citation: Mandiant Cutting Edge Part 3 February 2024)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PITSTOP - S1123.

Known Synonyms
PITSTOP

Internal MISP references

UUID d79b1800-3b5d-4a4f-8863-8251eca793e2 which can be used as unique global reference for PITSTOP - S1123 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1123 - webarchive
• https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence - webarchive

Associated metadata

Metadata key	Value
external_id	S1123
mitre_platforms	['Network']

Related clusters

To see the related clusters, click here.

SocGholish - S1124

SocGholish is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily through drive-by-downloads masquerading as software updates. SocGholish is operated by Mustard Tempest and its access has been sold to groups including Indrik Spider for downloading secondary RAT and ransomware payloads.(Citation: SentinelOne SocGholish Infrastructure November 2022)(Citation: SocGholish-update)(Citation: Red Canary SocGholish March 2024)(Citation: Secureworks Gold Prelude Profile)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SocGholish - S1124.

Known Synonyms
FakeUpdates
SocGholish

Internal MISP references

UUID 5911d2ca-64f6-49b3-b94f-29b5d185085c which can be used as unique global reference for SocGholish - S1124 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1124 - webarchive
• https://redcanary.com/threat-detection-report/threats/socgholish/ - webarchive
• https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update - webarchive
• https://www.secureworks.com/research/threat-profiles/gold-prelude - webarchive
• https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1124
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.

AcidRain - S1125

AcidRain is an ELF binary targeting modems and routers using MIPS architecture.(Citation: AcidRain JAGS 2022) AcidRain is associated with the ViaSat KA-SAT communication outage that took place during the initial phases of the 2022 full-scale invasion of Ukraine. Analysis indicates overlap with another network device-targeting malware, VPNFilter, associated with Sandworm Team.(Citation: AcidRain JAGS 2022) US and European government sources linked AcidRain to Russian government entities, while Ukrainian government sources linked AcidRain specifically to Sandworm Team.(Citation: AcidRain State Department 2022)(Citation: Vincens AcidPour 2024)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AcidRain - S1125.

Known Synonyms
AcidRain

Internal MISP references

UUID 04cecafd-cb5f-4daf-aa1f-73899116c4a2 which can be used as unique global reference for AcidRain - S1125 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1125 - webarchive
• https://cyberscoop.com/viasat-malware-wiper-acidrain/ - webarchive
• https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/ - webarchive
• https://www.state.gov/attribution-of-russias-malicious-cyber-activity-against-ukraine/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1125
mitre_platforms	['Network', 'Linux']

Related clusters

To see the related clusters, click here.

Phenakite - S1126

Phenakite is a mobile malware that is used by APT-C-23 to target iOS devices. According to several reports, Phenakite was developed to fill a tooling gap and to target those who owned iPhones instead of Windows desktops or Android phones.(Citation: sentinelone_israel_hamas_war)(Citation: fb_arid_viper)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Phenakite - S1126.

Known Synonyms
Phenakite

Internal MISP references

UUID f97e2718-af50-41df-811f-215ebab45691 which can be used as unique global reference for Phenakite - S1126 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1126 - webarchive
• https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf - webarchive
• https://web.archive.org/web/20240208234008/www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1126
mitre_platforms	['iOS']

Related clusters

To see the related clusters, click here.

HilalRAT - S1128

HilalRAT is a remote access-capable Android malware, developed and used by UNC788.(Citation: Meta Adversarial Threat Report 2022) HilalRAT is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as activating a device's camera and microphone.(Citation: Meta Adversarial Threat Report 2022)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HilalRAT - S1128.

Known Synonyms
HilalRAT

Internal MISP references

UUID 55714f87-6178-4b89-b3e5-d3a643f647ca which can be used as unique global reference for HilalRAT - S1128 in MISP communities and other software using the MISP galaxy

External references

• https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf - webarchive
• https://attack.mitre.org/software/S1128 - webarchive

Associated metadata

Metadata key	Value
external_id	S1128
mitre_platforms	['Android']

Related clusters

To see the related clusters, click here.

Akira - S1129

Akira ransomware, written in C++, is most prominently (but not exclusively) associated with the a ransomware-as-a-service entity Akira.(Citation: Kersten Akira 2023)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Akira - S1129.

Known Synonyms
Akira

Internal MISP references

UUID 6f6b2353-4b39-40ce-9d6d-d00b7a61e656 which can be used as unique global reference for Akira - S1129 in MISP communities and other software using the MISP galaxy

External references

• https://attack.mitre.org/software/S1129 - webarchive
• https://www.trellix.com/blogs/research/akira-ransomware/ - webarchive

Associated metadata

Metadata key	Value
external_id	S1129
mitre_platforms	['Windows']

Related clusters

To see the related clusters, click here.