RAT
remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote "operator" to control a system as if they have physical access to that system.
Authors
| Authors and/or Contributors |
|---|
| Various |
| raw-data |
Iperius Remote
Iperius Remote is advertised with these features: Control remotely any computer with Iperius Remote Desktop Free. For remote support or presentations. Ideal for technical assistance. Easy to use and secure.
Internal MISP references
UUID 5abe8673-4f85-440b-8860-de39fc1b671c which can be used as unique global reference for Iperius Remote in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
TeamViewer
TeamViewer is a proprietary computer software package for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers.
Internal MISP references
UUID 8ee3c015-3088-4a5f-8c94-602c27d767c0 which can be used as unique global reference for TeamViewer in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
JadeRAT
JadeRAT is just one example of numerous mobile surveillanceware families we've seen in recent months, indicating that actors are continuing to incorporate mobile tools in their attack chains. Threat actor, using a tool called JadeRAT, targets the mobile phones of ethnic minorities in China, notably Uighurs, for the purpose of espionage.
Internal MISP references
UUID 1cc8963b-5ad4-4e19-8e9a-57b0ff1ef926 which can be used as unique global reference for JadeRAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| cfr-suspected-state-sponsor | China |
| cfr-suspected-victims | ['Ethnic minorities in China'] |
| cfr-target-category | ['Government', 'Civil society'] |
| cfr-type-of-incident | Espionage |
Related clusters
To see the related clusters, click here.
Back Orifice
Back Orifice (often shortened to BO) is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Back Orifice.
| Known Synonyms |
|---|
BO |
Internal MISP references
UUID 20204b13-8ad1-4147-9328-0a9a7ac010b6 which can be used as unique global reference for Back Orifice in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Netbus
NetBus or Netbus is a software program for remotely controlling a Microsoft Windows computer system over a network. It was created in 1998 and has been very controversial for its potential of being used as a backdoor.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Netbus.
| Known Synonyms |
|---|
NetBus |
Internal MISP references
UUID 81ff6e46-0ba4-458b-b3b0-750e86404cae which can be used as unique global reference for Netbus in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 1998 |
PoisonIvy
Poison Ivy is a RAT which was freely available and first released in 2005.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PoisonIvy.
| Known Synonyms |
|---|
Backdoor.Win32.PoisonIvy |
Gen:Trojan.Heur.PT |
Poison Ivy |
Internal MISP references
UUID 4e104fef-8a2c-4679-b497-6e86d7d47db0 which can be used as unique global reference for PoisonIvy in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
Sub7
Sub7, or SubSeven or Sub7Server, is a Trojan horse program.[1] Its name was derived by spelling NetBus backwards ("suBteN") and swapping "ten" with "seven". Sub7 was created by Mobman. Mobman has not maintained or updated the software since 2004, however an author known as Read101 has carried on the Sub7 legacy.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sub7.
| Known Synonyms |
|---|
Sub7Server |
SubSeven |
Internal MISP references
UUID d7369f05-65ce-4e10-916f-41f2f6d4ab59 which can be used as unique global reference for Sub7 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 1999 |
Beast Trojan
Beast is a Windows-based backdoor trojan horse, more commonly known in the hacking community as a Remote Administration Tool or a "RAT". It is capable of infecting versions of Windows from 95 to 10.
Internal MISP references
UUID 268a4f81-dbfd-4b20-9a54-24eba7a4c781 which can be used as unique global reference for Beast Trojan in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2002 |
Bifrost
Bifrost is a discontinued backdoor trojan horse family of more than 10 variants which can infect Windows 95 through Windows 10 (although on modern Windows systems, after Windows XP, its functionality is limited). Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine (which runs the server whose behavior can be controlled by the server editor).
Internal MISP references
UUID eb62bac0-68fd-4b17-af4f-89c6900ee414 which can be used as unique global reference for Bifrost in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2004 |
Blackshades
Blackshades is the name of a malicious trojan horse used by hackers to control computers remotely. The malware targets computers using Microsoft Windows -based operating systems.[2] According to US officials, over 500,000 computer systems have been infected worldwide with the software.
Internal MISP references
UUID 3a1fc564-3705-4cc0-8f80-13c58d470d34 which can be used as unique global reference for Blackshades in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2010 |
Related clusters
To see the related clusters, click here.
DarkComet
DarkComet is a Remote Administration Tool (RAT) which was developed by Jean-Pierre Lesueur (known as DarkCoderSc), an independent programmer and computer security coder from the United Kingdom. Although the RAT was developed back in 2008, it began to proliferate at the start of 2012.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DarkComet.
| Known Synonyms |
|---|
Dark Comet |
Internal MISP references
UUID 8a21ae06-d257-48a0-989b-1c9aebedabc2 which can be used as unique global reference for DarkComet in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2008 |
Related clusters
To see the related clusters, click here.
Lanfiltrator
Backdoor.Lanfiltrator is a backdoor Trojan that gives an attacker unauthorized access to a compromised computer. The detection is used for a family of Trojans that are produced by the Backdoor.Lanfiltrator generator.
Internal MISP references
UUID 826e73f8-2241-4c99-848d-8597d685cfd3 which can be used as unique global reference for Lanfiltrator in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2002 |
Win32.HsIdir
Win32.HsIdir is an advanced remote administrator tool systems was done by the original author HS32-Idir, it is the development of the release made since 2006 Copyright © 2006-2010 HS32-Idir.
Internal MISP references
UUID 569d539f-f949-4156-8896-108ea8352fbc which can be used as unique global reference for Win32.HsIdir in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Optix Pro
Optix Pro is a configurable remote access tool or Trojan, similar to SubSeven or BO2K
Internal MISP references
UUID 4ce3247b-203a-42a8-aaa0-05558c50894e which can be used as unique global reference for Optix Pro in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2002 |
Back Orifice 2000
Back Orifice 2000 (often shortened to BO2k) is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a pun on Microsoft BackOffice Server software. Back Orifice 2000 is a new version of the famous Back Orifice backdoor trojan (hacker's remote access tool). It was created by the Cult of Dead Cow hackers group in July 1999. Originally the BO2K was released as a source code and utilities package on a CD-ROM. There are reports that some files on that CD-ROM were infected with CIH virus, so the people who got that CD might get infected and spread not only the compiled backdoor, but also the CIH virus.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Back Orifice 2000.
| Known Synonyms |
|---|
BO2k |
Internal MISP references
UUID 91f8a1d8-c816-45e1-8c26-17a7305ca375 which can be used as unique global reference for Back Orifice 2000 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 1998 |
RealVNC
The software consists of a server and client application for the Virtual Network Computing (VNC) protocol to control another
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RealVNC.
| Known Synonyms |
|---|
VNC Connect |
VNC Viewer |
Internal MISP references
UUID e1290288-84d4-4b32-858d-db4ed612de44 which can be used as unique global reference for RealVNC in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Adwind RAT
Backdoor:Java/Adwind is a Java archive (.JAR) file that drops a malicious component onto the machines and runs as a backdoor. When active, it is capable of stealing user information and may also be used to distribute other malware.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Adwind RAT.
| Known Synonyms |
|---|
AlienSpy |
Frutas |
JBifrost |
Jsocket |
UNRECOM |
UNiversal REmote COntrol Multi-Platform |
Unrecom |
Internal MISP references
UUID b76d9845-815c-4e77-9538-6b737269da2f which can be used as unique global reference for Adwind RAT in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf - webarchive
- https://www.f-secure.com/v-descs/backdoor_java_adwind.shtml - webarchive
- https://blog.fortinet.com/2016/08/16/jbifrost-yet-another-incarnation-of-the-adwind-rat - webarchive
- https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2011 |
Related clusters
To see the related clusters, click here.
Albertino Advanced RAT
Internal MISP references
UUID eff22ed3-81fc-4055-bd1d-76e1f191f487 which can be used as unique global reference for Albertino Advanced RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Arcom
The malware is a Remote Access Trojan (RAT), known as Arcom RAT, and it is sold on underground forums for $2000.00.
Internal MISP references
UUID cd167b01-dc63-4576-b4a1-5ee707aa392b which can be used as unique global reference for Arcom in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
BlackNix
BlackNix rat is a rat coded in delphi.
Internal MISP references
UUID f3e79212-0e35-40d2-a1d6-37b629a8138e which can be used as unique global reference for BlackNix in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Blue Banana
Blue Banana is a RAT (Remote Administration Tool) created purely in Java
Internal MISP references
UUID 9b515229-36f6-4b93-9889-36116a12fd74 which can be used as unique global reference for Blue Banana in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2012 |
Bozok
Bozok, like many other popular RATs, is freely available. The author of the Bozok RAT goes by the moniker “Slayer616” and has created another RAT known as Schwarze Sonne, or “SS-RAT” for short. Both of these RATs are free and easy to find — various APT actors have used both in previous targeted attacks.
Internal MISP references
UUID 41f45758-0376-42a8-bc07-8f2ffbee3ad2 which can be used as unique global reference for Bozok in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2013 |
Related clusters
To see the related clusters, click here.
ClientMesh
ClientMesh is a Remote Administration Application yhich allows a user to control a number of client PCs from around the world.
Internal MISP references
UUID 03eb6742-9a17-4aed-95e4-d8a0b0abefc3 which can be used as unique global reference for ClientMesh in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
CyberGate
CyberGate is a powerful, fully configurable and stable Remote Administration Tool coded in Delphi that is continuously getting developed. Using cybergate you can log the victim's passwords and can also get the screen shots of his computer's screen.
Internal MISP references
UUID c3cf4e88-704b-4d7c-8185-ee780804f3d3 which can be used as unique global reference for CyberGate in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2011 |
Related clusters
To see the related clusters, click here.
Dark DDoSeR
Internal MISP references
UUID 3c026104-6129-4749-9b41-07c28d9e84c4 which can be used as unique global reference for Dark DDoSeR in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
DarkRat
In March 2017, Fujitsu Cyber Threat Intelligence uncovered a newly developed remote access tool referred to by its developer as ‘Dark RAT’ – a tool used to steal sensitive information from victims. Offered as a Fully Undetectable build (FUD) the RAT has a tiered price model including 24/7 support and an Android version. Android malware has seen a significant rise in interest and in 2015 this resulted in the arrests of a number of suspects involved in the infamous DroidJack malware.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DarkRat.
| Known Synonyms |
|---|
DarkRAT |
Internal MISP references
UUID 7135cc9c-a7bf-44fc-b74b-80de9edd9438 which can be used as unique global reference for DarkRat in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2005 |
Greame
Internal MISP references
UUID e880a029-bb01-4a64-baa3-b13fc2af4e9d which can be used as unique global reference for Greame in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
HawkEye
HawkEye is a popular RAT that can be used as a keylogger, it is also able to identify login events and record the destination, username, and password.
Internal MISP references
UUID 8414f79c-a879-44b6-b154-4992aa12dff1 which can be used as unique global reference for HawkEye in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2003 |
jRAT
jRAT is the cross-platform remote administrator tool that is coded in Java, Because its coded in Java it gives jRAT possibilities to run on all operation systems, Which includes Windows, Mac OSX and Linux distributions.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular jRAT.
| Known Synonyms |
|---|
JacksBot |
Internal MISP references
UUID 1df62d96-88f8-473c-94a2-252eb360ba62 which can be used as unique global reference for jRAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2012 |
Related clusters
To see the related clusters, click here.
jSpy
jSpy is a Java RAT.
Internal MISP references
UUID 669a0e4d-9760-49fc-bdf5-0471f84e0c76 which can be used as unique global reference for jSpy in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2013 |
Related clusters
To see the related clusters, click here.
LuxNET
Just saying that this is a very badly coded RAT by the biggest skid in this world, that is XilluX. The connection is very unstable, the GUI is always flickering because of the bad Multi-Threading and many more bugs.
Internal MISP references
UUID aad1038d-4d50-4a3e-88f3-cd9d154dc45c which can be used as unique global reference for LuxNET in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
NJRat
NJRat is a remote access trojan (RAT), first spotted in June 2013 with samples dating back to November 2012. It was developed and is supported by Arabic speakers and mainly used by cybercrime groups against targets in the Middle East. In addition to targeting some governments in the region, the trojan is used to control botnets and conduct other typical cybercrime activity. It infects victims via phishing attacks and drive-by downloads and propagates through infected USB keys or networked drives. It can download and execute additional malware, execute shell commands, read and write registry keys, capture screenshots, log keystrokes, and spy on webcams.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NJRat.
| Known Synonyms |
|---|
Njw0rm |
Internal MISP references
UUID 7fb493bb-756b-42a2-8f6d-59e254f4f2cc which can be used as unique global reference for NJRat in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2012 |
Related clusters
To see the related clusters, click here.
Pandora
Remote administrator tool that has been developed for Windows operation system. With advanced features and stable structure, Pandora’s structure is based on advanced client / server architecture. was configured using modern technology.
Internal MISP references
UUID 59485642-d233-4167-9f51-bd1d74285c23 which can be used as unique global reference for Pandora in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2002 |
Predator Pain
Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable, which is good if you are managing a few infected machines only, but the design doesn’t scale well when there are a lot of infected machines and logs involved.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Predator Pain.
| Known Synonyms |
|---|
PredatorPain |
Internal MISP references
UUID 42a97a5d-ee33-492a-b20f-758ecdbf1aed which can be used as unique global reference for Predator Pain in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
Punisher RAT
Remote administration tool
Internal MISP references
UUID e49af83c-fd2f-4540-92dc-97c7b84a9458 which can be used as unique global reference for Punisher RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2007 |
SpyGate
This is tool that allow you to control your computer form anywhere in world with full support to unicode language.
Internal MISP references
UUID 1c3df89a-1f30-4ccb-acb4-5dee4b470b55 which can be used as unique global reference for SpyGate in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Small-Net
RAT
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Small-Net.
| Known Synonyms |
|---|
SmallNet |
Internal MISP references
UUID 1dd0c7f8-a6fb-4912-9de9-deb43f384fdb which can be used as unique global reference for Small-Net in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Vantom
Vantom is a free RAT with good option and very stable.
Internal MISP references
UUID 6e5a1fcb-f730-4d8d-890a-ef133782a7d2 which can be used as unique global reference for Vantom in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Xena
Xena RAT is a fully-functional, stable, state-of-the-art RAT, coded in a native language called Delphi, it has almost no dependencies.
Internal MISP references
UUID b9d5ab11-dd6f-49ba-8117-ce16f71ff11c which can be used as unique global reference for Xena in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
XtremeRAT
This malware has been used in targeted attacks as well as traditional cybercrime. During our investigation we found that the majority of XtremeRAT activity is associated with spam campaigns that typically distribute Zeus variants and other banking-focused malware.
Internal MISP references
UUID 3b6b55fb-595c-40c5-bbc5-dbe244b15026 which can be used as unique global reference for XtremeRAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2010 |
Netwire
NetWire has a built-in keylogger that can capture inputs from peripheral devices such as USB card readers.
Internal MISP references
UUID e3113a0e-a65b-4119-8bc2-1c8d9d18c2db which can be used as unique global reference for Netwire in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2012 |
Gh0st RAT
Gh0st RAT is a Trojan horse for the Windows platform that the operators of GhostNet used to hack into some of the most sensitive computer networks on Earth. It is a cyber spying computer program. .
Internal MISP references
UUID 255a59a7-db2d-44fc-9ca9-5859b65817c3 which can be used as unique global reference for Gh0st RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2001 |
Related clusters
To see the related clusters, click here.
Plasma RAT
Plasma RAT’s stub is fairly advanced, having many robust features. Some of the features include botkilling, Cryptocurrencies Mining (CPU and GPU), persistence, anti-analysis, torrent seeding, AV killer, 7 DDoS methods and a keylogger. The RAT is coded in VB.Net. There is also a Botnet version of it (Plasma HTTP), which is pretty similar to the RAT version.
Internal MISP references
UUID af534ddb-d0c6-47c0-82be-058c8bd5c6e1 which can be used as unique global reference for Plasma RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Babylon
Babylon is a highly advanced remote administration tool with no dependencies. The server is developed in C++ which is an ideal language for high performance and the client is developed in C#(.Net Framework 4.5)
Internal MISP references
UUID ad1c9a50-3cd2-446a-ab31-9ecb62980d61 which can be used as unique global reference for Babylon in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Imminent Monitor
RAT
Internal MISP references
UUID f52a5252-ef53-4935-81c8-96fffcd1b952 which can be used as unique global reference for Imminent Monitor in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
DroidJack
DroidJack is a RAT (Remote Access Trojan/Remote Administration Tool) nature of remote accessing, monitoring and managing tool (Java based) for Android mobile OS. You can use it to perform a complete remote control to any Android devices infected with DroidJack through your PC. It comes with powerful function and user-friendly operation – even allows attackers to fully take over the mobile phone and steal, record the victim’s private data wilfully.
Internal MISP references
UUID 7f032293-bfa2-4595-803d-c84519190861 which can be used as unique global reference for DroidJack in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Quasar RAT
Quasar is a fast and light-weight remote administration tool coded in C#. Providing high stability and an easy-to-use user interface
Internal MISP references
UUID 6efa425c-3731-44fd-9224-2a62df061a2d which can be used as unique global reference for Quasar RAT in MISP communities and other software using the MISP galaxy
External references
- https://github.com/quasar/QuasarRAT - webarchive
- https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/ - webarchive
- https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2014 |
Related clusters
To see the related clusters, click here.
Dendroid
Dendroid is malware that affects Android OS and targets the mobile platform. It was first discovered in early of 2014 by Symantec and appeared in the underground for sale for $300. Some things were noted in Dendroid, such as being able to hide from emulators at the time. When first discovered in 2014 it was one of the most sophisticated Android remote administration tools known at that time. It was one of the first Trojan applications to get past Google's Bouncer and caused researchers to warn about it being easier to create Android malware due to it. It also seems to have follow in the footsteps of Zeus and SpyEye by having simple-to-use command and control panels. The code appeared to be leaked somewhere around 2014. It was noted that an apk binder was included in the leak, which provided a simple way to bind Dendroid to legitimate applications.
Internal MISP references
UUID ea3a8c25-4adb-4538-bf11-55259bdba15f which can be used as unique global reference for Dendroid in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2014 |
Related clusters
To see the related clusters, click here.
Ratty
A Java R.A.T. program
Internal MISP references
UUID a51f07ae-ab2c-45ee-aa9c-1db7873e7bb4 which can be used as unique global reference for Ratty in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2016 |
Related clusters
To see the related clusters, click here.
RaTRon
Java RAT
Internal MISP references
UUID 48b6886b-67a9-4815-92a2-1b7aca24d4ac which can be used as unique global reference for RaTRon in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Arabian-Attacker RAT
Internal MISP references
UUID f966a936-19f9-4b6b-95b3-0ff102e26303 which can be used as unique global reference for Arabian-Attacker RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2006 |
Androrat
Androrat is a client/server application developed in Java Android for the client side and in Java/Swing for the Server.
Internal MISP references
UUID ce70bf96-0629-4c7d-8ed8-2315fab0ed42 which can be used as unique global reference for Androrat in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Adzok
Remote Administrator
Internal MISP references
UUID 3560c833-3d28-4888-b0b8-1951ecac57a2 which can be used as unique global reference for Adzok in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Schwarze-Sonne-RAT
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Schwarze-Sonne-RAT.
| Known Synonyms |
|---|
SS-RAT |
Schwarze Sonne |
Internal MISP references
UUID 99860df7-565d-47e4-a086-c4af1623b626 which can be used as unique global reference for Schwarze-Sonne-RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2010 |
Cyber Eye RAT
Internal MISP references
UUID 729f1b02-ce0c-41a4-8d4e-c7c1f5475c4b which can be used as unique global reference for Cyber Eye RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Batch NET
Internal MISP references
UUID 9501172b-a81a-49bb-90ce-31f2fb78a130 which can be used as unique global reference for Batch NET in MISP communities and other software using the MISP galaxy
RWX RAT
Internal MISP references
UUID 62c5b489-8750-4fab-aca3-b233af789831 which can be used as unique global reference for RWX RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Spynet
Spy-Net is a software that allow you to control any computer in world using Windows Operating System.He is back using new functions and good options to give you full control of your remote computer.Stable and fast, this software offer to you a good interface, creating a easy way to use all his functions
Internal MISP references
UUID 66bfd62e-6626-4104-af37-a44244204ac8 which can be used as unique global reference for Spynet in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2010 |
CTOS
Internal MISP references
UUID b9d7d5b8-7cf4-4650-a88a-5f4e991c45d6 which can be used as unique global reference for CTOS in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Virus RAT
Internal MISP references
UUID 9107fc0d-6705-4fc2-b621-e5ac42afef90 which can be used as unique global reference for Virus RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Atelier Web Remote Commander
Internal MISP references
UUID c51188d6-d489-4a18-a9a8-e38365f0bc10 which can be used as unique global reference for Atelier Web Remote Commander in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
drat
A distributed, parallelized (Map Reduce) wrapper around Apache™ RAT to allow it to complete on large code repositories of multiple file types where Apache™ RAT hangs forev
Internal MISP references
UUID 5ee39172-7ba3-477c-9772-88841b4be691 which can be used as unique global reference for drat in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
MoSucker
MoSucker is a powerful backdoor - hacker's remote access tool.
Internal MISP references
UUID 611ed43b-b869-4419-a487-6f7393125eb3 which can be used as unique global reference for MoSucker in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Theef
Internal MISP references
UUID f5154f40-46c1-4a0d-9814-cb5e5adf201b which can be used as unique global reference for Theef in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2002 |
ProRat
ProRat is a Microsoft Windows based backdoor trojan, more commonly known as a Remote Administration Tool. As with other trojan horses it uses a client and server. ProRat opens a port on the computer which allows the client to perform numerous operations on the server (the machine being controlled).
Internal MISP references
UUID cae67963-63d2-4c8b-8358-a03556f20b7b which can be used as unique global reference for ProRat in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2002 |
Setro
Internal MISP references
UUID 6b1b2415-b42f-41c4-8c35-077844a9c4dc which can be used as unique global reference for Setro in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Indetectables RAT
Internal MISP references
UUID 36912ecf-9411-44fa-b14d-ec3b6896b0e2 which can be used as unique global reference for Indetectables RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Luminosity Link
Internal MISP references
UUID 0f2c6cd4-675a-4c41-acf5-1b0bc3625375 which can be used as unique global reference for Luminosity Link in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Orcus
Internal MISP references
UUID 30a1a10e-4155-43a6-854a-3b43bc2a3f9c which can be used as unique global reference for Orcus in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2015 |
Blizzard
Internal MISP references
UUID a7e4c2ff-6747-48e4-99c4-5c638c167fc0 which can be used as unique global reference for Blizzard in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Kazybot
Internal MISP references
UUID 6c553273-f3f8-4e66-b764-9a9ae83a2f35 which can be used as unique global reference for Kazybot in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
BX
Internal MISP references
UUID f6cc85de-81da-4276-a87c-45e3a00b67b5 which can be used as unique global reference for BX in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2014 |
death
Internal MISP references
UUID b7095617-3320-4118-9f28-7d4356e2571a which can be used as unique global reference for death in MISP communities and other software using the MISP galaxy
Sky Wyder
Internal MISP references
UUID 866f97d7-faa9-49e2-b704-7406c1ee2565 which can be used as unique global reference for Sky Wyder in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
DarkTrack
Internal MISP references
UUID f60dc9e3-2053-446c-89a0-ad69906de6e4 which can be used as unique global reference for DarkTrack in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2017 |
xRAT
Free, Open-Source Remote Administration Tool. xRAT 2.0 is a fast and light-weight Remote Administration Tool coded in C# (using .NET Framework 2.0).
Internal MISP references
UUID 509aff15-ba17-4582-b1a0-b0ed89df01d8 which can be used as unique global reference for xRAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2017 |
Related clusters
To see the related clusters, click here.
Biodox
Internal MISP references
UUID 43e91752-23f5-41c6-baa3-74d6fc0f2cad which can be used as unique global reference for Biodox in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Offence
Offense RAT is a free renote administration tool made in Delphi 9.
Internal MISP references
UUID a9caa398-ba8b-4a64-8970-67761c7efc76 which can be used as unique global reference for Offence in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Apocalypse
Internal MISP references
UUID d5d3f9de-21b5-482e-b716-5f2f13182990 which can be used as unique global reference for Apocalypse in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2009 |
Related clusters
To see the related clusters, click here.
JCage
Internal MISP references
UUID 0d756293-6cbc-4973-8df8-7d6ab0cd51e0 which can be used as unique global reference for JCage in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2013 |
Nuclear RAT
Nuclear RAT (short for Nuclear Remote Administration Tool) is a backdoor trojan horse that infects Windows NT family systems (Windows 2000, XP, 2003).
Internal MISP references
UUID 1b0f4481-f205-493a-a167-59669a64b6fc which can be used as unique global reference for Nuclear RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Ozone
C++ REMOTE CONTROL PROGRAM
Internal MISP references
UUID 1a4d6958-45fe-41ca-b545-bdf28fba14fa which can be used as unique global reference for Ozone in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Xanity
Internal MISP references
UUID 66c3e21d-1cb9-43b4-bd1b-2d9ac839a628 which can be used as unique global reference for Xanity in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
DarkMoon
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DarkMoon.
| Known Synonyms |
|---|
Dark Moon |
Internal MISP references
UUID 18a4e501-c6e3-45e9-beee-25421b0c7bcb which can be used as unique global reference for DarkMoon in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
Xpert
Internal MISP references
UUID bdb25a20-4c6c-4fdb-ac05-5f81fb6c15a7 which can be used as unique global reference for Xpert in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Kiler RAT
This remote access trojan (RAT) has capabilities ranging from manipulating the registry to opening a reverse shell. From stealing credentials stored in browsers to accessing the victims webcam. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread utilizing physic devices, such as USB drives, but also to use the victim as a pivot point to gain more access laterally throughout the network. This remote access trojan could be classified as a variant of the well known njrat, as they share many similar features such as their display style, several abilities and a general template for communication methods . However, where njrat left off KilerRat has taken over. KilerRat is a very feature rich RAT with an active development force that is rapidly gaining in popularity amongst the middle eastern community and the world.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kiler RAT.
| Known Synonyms |
|---|
Njw0rm |
Internal MISP references
UUID c01ef312-dfd6-403f-a8b5-67fc11a550a7 which can be used as unique global reference for Kiler RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
Brat
Internal MISP references
UUID 7109e2b0-8c05-4d2b-a37f-c00d799f0c02 which can be used as unique global reference for Brat in MISP communities and other software using the MISP galaxy
MINI-MO
Internal MISP references
UUID 32ea7a67-9649-4bd3-b194-f37f04c208ba which can be used as unique global reference for MINI-MO in MISP communities and other software using the MISP galaxy
Lost Door
Unlike most attack tools that one can only find in cybercriminal underground markets, Lost Door is very easy to obtain. It’s promoted on social media sites like YouTube and Facebook. Its maker, “OussamiO,” even has his own Facebook page where details on his creation can be found. He also has a dedicated blog (hxxp://lost-door[.]blogspot[.]com/) where tutorial videos and instructions on using the RAT is found. Any cybercriminal or threat actor can purchase and use the RAT to launch attacks.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lost Door.
| Known Synonyms |
|---|
LostDoor |
Internal MISP references
UUID 8007f2be-ba4f-445e-8a15-6c2bfe769c49 which can be used as unique global reference for Lost Door in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2010 |
Loki RAT
Loki RAT is a php RAT that means no port forwarding is needed for this RAT, If you dont know how to setup this RAT click on tutorial.
Internal MISP references
UUID 70e6875b-34b5-4f97-8403-210defbc040d which can be used as unique global reference for Loki RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
MLRat
Internal MISP references
UUID 83929545-ef07-469c-ab55-c59155a66cc6 which can be used as unique global reference for MLRat in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
SpyCronic
Internal MISP references
UUID 71289654-0217-44d7-8762-b609b3eace80 which can be used as unique global reference for SpyCronic in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Pupy
Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python
Internal MISP references
UUID bdb420be-5882-41c8-b439-02bbef69d83f which can be used as unique global reference for Pupy in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2015 |
Related clusters
To see the related clusters, click here.
Nova
Nova is a proof of concept demonstrating screen sharing over UDP hole punching.
Internal MISP references
UUID eea78fd1-11ae-432a-9422-d5e774eb8ff2 which can be used as unique global reference for Nova in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2002 |
BD Y3K RAT
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BD Y3K RAT.
| Known Synonyms |
|---|
Back Door Y3K RAT |
Y3k |
Internal MISP references
UUID 62f8b6aa-f3df-4789-9348-b16db59f345e which can be used as unique global reference for BD Y3K RAT in MISP communities and other software using the MISP galaxy
External references
- https://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=9401&signatureSubId=2 - webarchive
- https://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=9401&signatureSubId=0&softwareVersion=6.0&releaseVersion=S177 - webarchive
- https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20292 - webarchive
- https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20264 - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
| date | 1998 |
Turkojan
Turkojan is a remote administration and spying tool for Microsoft Windows operating systems.
Internal MISP references
UUID 29f7cf0f-b422-4966-9298-c8b4cb54deac which can be used as unique global reference for Turkojan in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2003 |
TINY
TINY is a set of programs that lets you control a DOS computer from any Java-capable machine over a TCP/IP connection. It is comparable to programs like VNC, CarbonCopy, and GotoMyPC except that the host machine is a DOS computer rather than a Windows one.
Internal MISP references
UUID c9fd50a0-35c8-4dfd-baeb-8043182e864c which can be used as unique global reference for TINY in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
SharK
sharK is an advanced reverse connecting, firewall bypassing remote administration tool written in VB6. With sharK you will be able to administrate every PC (using Windows OS) remotely.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SharK.
| Known Synonyms |
|---|
SHARK |
Shark |
Internal MISP references
UUID ff471870-7c9a-4122-ba89-489fc819660b which can be used as unique global reference for SharK in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2008 |
Related clusters
To see the related clusters, click here.
Snowdoor
Backdoor.Snowdoor is a Backdoor Trojan Horse that allows unauthorized access to an infected computer. It creates an open C drive share with its default settings. By default, the Trojan listens on port 5,328.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Snowdoor.
| Known Synonyms |
|---|
Backdoor.Blizzard |
Backdoor.Fxdoor |
Backdoor.Snowdoor |
Backdoor:Win32/Snowdoor |
Internal MISP references
UUID ed4590cd-d636-46bc-a92d-d90b9548db51 which can be used as unique global reference for Snowdoor in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Paradox
Internal MISP references
UUID 5d4123f6-c344-45ee-83e9-c5656d38e604 which can be used as unique global reference for Paradox in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
SpyNote
Android RAT
Internal MISP references
UUID ea727e26-b3de-44f8-86c5-11a912c7a8aa which can be used as unique global reference for SpyNote in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
ZOMBIE SLAYER
Internal MISP references
UUID b7b6db54-db6a-463c-a2a2-3a0da1f7fe32 which can be used as unique global reference for ZOMBIE SLAYER in MISP communities and other software using the MISP galaxy
HTTP WEB BACKDOOR
Internal MISP references
UUID 69b002ee-1be8-44e2-9295-8299b97a5773 which can be used as unique global reference for HTTP WEB BACKDOOR in MISP communities and other software using the MISP galaxy
NET-MONITOR PRO
Net Monitor for Employees lets you see what everyone's doing - without leaving your desk. Monitor the activity of all employees. Plus you can share your screen with your employees PCs, making demos and presentations much easier.
Internal MISP references
UUID 376671ff-2131-4150-b1f4-7870f6adf8ae which can be used as unique global reference for NET-MONITOR PRO in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
DameWare Mini Remote Control
Affordable remote control software for all your customer support and help desk needs.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DameWare Mini Remote Control.
| Known Synonyms |
|---|
dameware |
Internal MISP references
UUID ba157c90-8f94-45f2-8395-001e76eee506 which can be used as unique global reference for DameWare Mini Remote Control in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Remote Utilities
Remote Utilities is a free remote access program with some really great features. It works by pairing two remote computers together with what they call an "Internet ID." You can control a total of 10 PCs with Remote Utilities.
Internal MISP references
UUID 903846e2-5fa7-42c9-98bf-00d05473c9e3 which can be used as unique global reference for Remote Utilities in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Ammyy Admin
Ammyy Admin is a completely portable remote access program that's extremely simple to setup. It works by connecting one computer to another via an ID supplied by the program.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ammyy Admin.
| Known Synonyms |
|---|
Ammyy |
Internal MISP references
UUID 9025f09b-a3fe-4711-89b8-bee6037681f8 which can be used as unique global reference for Ammyy Admin in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2011 |
Ultra VNC
UltraVNC works a bit like Remote Utilities, where a server and viewer is installed on two PCs, and the viewer is used to control the server.
Internal MISP references
UUID 12f03025-467b-49b3-ba7b-2a152e38eae5 which can be used as unique global reference for Ultra VNC in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
AeroAdmin
AeroAdmin is probably the easiest program to use for free remote access. There are hardly any settings, and everything is quick and to the point, which is perfect for spontaneous support.
Internal MISP references
UUID 6dd8f7ac-a90b-4155-843d-b95f1f4e0e81 which can be used as unique global reference for AeroAdmin in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Windows Remote Desktop
Windows Remote Desktop is the remote access software built into the Windows operating system. No additional download is necessary to use the program.
Internal MISP references
UUID 07c792c4-2f78-4eba-a6a3-3ba28e098886 which can be used as unique global reference for Windows Remote Desktop in MISP communities and other software using the MISP galaxy
RemotePC
RemotePC, for good or bad, is a more simple free remote desktop program. You're only allowed one connection (unless you upgrade) but for many of you, that'll be just fine.
Internal MISP references
UUID e4ae4f4e-a751-4633-a54e-c747508ff3b8 which can be used as unique global reference for RemotePC in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Seecreen
Seecreen (previously called Firnass) is an extremely tiny (500 KB), yet powerful free remote access program that's absolutely perfect for on-demand, instant support.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Seecreen.
| Known Synonyms |
|---|
Firnass |
Internal MISP references
UUID b9df1fb3-17b7-430b-8c23-f1d321c1265c which can be used as unique global reference for Seecreen in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Chrome Remote Desktop
Chrome Remote Desktop is an extension for the Google Chrome web browser that lets you setup a computer for remote access from any other Chrome browser.
Internal MISP references
UUID 6583d982-a5cb-47e0-a3b0-bc18cadaeb53 which can be used as unique global reference for Chrome Remote Desktop in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
AnyDesk
AnyDesk is a remote desktop program that you can run portably or install like a regular program.
Internal MISP references
UUID 7d71d21e-68f0-4595-beee-7c353471463d which can be used as unique global reference for AnyDesk in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
LiteManager
LiteManager is another remote access program, and it's strikingly similar to Remote Utilities, which I explain on the first page of this list. However, unlike Remote Utilities, which can control a total of only 10 PCs, LiteManager supports up to 30 slots for storing and connecting to remote computers, and also has lots of useful features.
Internal MISP references
UUID 0c8a877b-6c9c-43a7-9688-d90a098d8710 which can be used as unique global reference for LiteManager in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Comodo Unite
Comodo Unite is another free remote access program that creates a secure VPN between multiple computers. Once a VPN is established, you can remotely have access to applications and files through the client software.
Internal MISP references
UUID 9b990bc7-ff88-4658-90de-806711462c55 which can be used as unique global reference for Comodo Unite in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
ShowMyPC
ShowMyPC is a portable and free remote access program that's nearly identical to UltraVNC but uses a password to make a connection instead of an IP address.
Internal MISP references
UUID 185adc84-ad02-4559-aacc-50b2d690640c which can be used as unique global reference for ShowMyPC in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
join.me
join.me is a remote access program from the producers of LogMeIn that provides quick access to another computer over an internet browser.
Internal MISP references
UUID 204b457d-9729-460b-991b-943171c55fa7 which can be used as unique global reference for join.me in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
DesktopNow
DesktopNow is a free remote access program from NCH Software. After optionally forwarding the proper port number in your router, and signing up for a free account, you can access your PC from anywhere through a web browser.
Internal MISP references
UUID 82a2bcba-0f31-4a45-bddb-559db9819fad which can be used as unique global reference for DesktopNow in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
BeamYourScreen
Another free and portable remote access program is BeamYourScreen. This program works like some of the others in this list, where the presenter is given an ID number they must share with another user so they can connect to the presenter's screen.
Internal MISP references
UUID a31bf7d6-70a9-4f5f-a38e-88e173ad444c which can be used as unique global reference for BeamYourScreen in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Casa RAT
Internal MISP references
UUID ef164438-e4bd-4c56-a8e6-e5e64bc8dd5a which can be used as unique global reference for Casa RAT in MISP communities and other software using the MISP galaxy
Bandook RAT
Bandook is a FWB#++ reverse connection rat (Remote Administration Tool), with a small size server when packed 30 KB, and a long list of amazing features
Internal MISP references
UUID 3482922d-b58c-482f-8363-f63f52fcdb43 which can be used as unique global reference for Bandook RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2005 |
Cerberus RAT
Internal MISP references
UUID 180145d0-f4e3-4ab3-b5bb-ce17f7fec0db which can be used as unique global reference for Cerberus RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2009 |
Syndrome RAT
Internal MISP references
UUID db9bcc9a-27ec-4a58-a481-d978b4954ad7 which can be used as unique global reference for Syndrome RAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2010 |
Snoopy
Snoopy is a Remote Administration Tool. Software for controlling user computer remotely from other computer on local network or Internet.
Internal MISP references
UUID fffbcd87-f028-4c4a-9e94-312e4e954450 which can be used as unique global reference for Snoopy in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2002 |
5p00f3r.N$ RAT
Internal MISP references
UUID f592c850-4867-4fa1-a303-151b953710d7 which can be used as unique global reference for 5p00f3r.N$ RAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2010 |
P. Storrie RAT
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular P. Storrie RAT.
| Known Synonyms |
|---|
P.Storrie RAT |
Internal MISP references
UUID 9287c2db-99e6-4d3b-bb32-3054e2e96e39 which can be used as unique global reference for P. Storrie RAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2011 |
xHacker Pro RAT
Internal MISP references
UUID 832dad3c-6483-4d3c-ad02-8336dea90682 which can be used as unique global reference for xHacker Pro RAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2007 |
NetDevil
Backdoor.NetDevil allows a hacker to remotely control an infected computer.
Internal MISP references
UUID 281563d8-14f8-43a8-a0cb-2f0198f7146c which can be used as unique global reference for NetDevil in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
NanoCore
In September of 2015, a DigiTrust client visited a web link that was providing an Adobe Flash Player update. The client, an international retail organization, attempted to download and run what appeared to be a regular update. The computer trying to download this update was a back office system that processed end of day credit card transactions. This system also had the capability of connecting to the corporate network which contained company sales reports. DigiTrust experts were alerted to something malicious and blocked the download. The investigation found that what appeared to be an Adobe Flash Player update, was a Remote Access Trojan called NanoCore. If installation had been successful, customer credit card data, personal information, and internal sales information could have been captured and monetized. During the analysis of NanoCore, our experts found that there was much more to this RAT than simply being another Remote Access Trojan.
Internal MISP references
UUID 6c3c111a-93af-428a-bee0-feacbee0237d which can be used as unique global reference for NanoCore in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
Cobian RAT
The Zscaler ThreatLabZ research team has been monitoring a new remote access Trojan (RAT) family called Cobian RAT since February 2017. The RAT builder for this family was first advertised on multiple underground forums where cybercriminals often buy and sell exploit and malware kits. This RAT builder caught our attention as it was being offered for free and had lot of similarities to the njRAT/H-Worm family
Internal MISP references
UUID 8c49da10-2b59-42c4-81e6-75556decdecb which can be used as unique global reference for Cobian RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2017 |
Related clusters
To see the related clusters, click here.
Netsupport Manager
NetSupport Manager continues to deliver the very latest in remote access, PC support and desktop management capabilities. From a desktop, laptop, tablet or smartphone, monitor multiple systems in a single action, deliver hands-on remote support, collaborate and even record or play back sessions. When needed, gather real-time hardware and software inventory, monitor services and even view system config remotely to help resolve issues quickly.
Internal MISP references
UUID d6fe0674-f55b-46ea-bf87-78fa0fa6ac97 which can be used as unique global reference for Netsupport Manager in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 1989 |
Vortex
Internal MISP references
UUID 2a47361d-584b-493f-80a4-37c74c30cf1b which can be used as unique global reference for Vortex in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 1998 |
Assassin
Internal MISP references
UUID eac2e921-d71e-45fd-abff-4902968f910d which can be used as unique global reference for Assassin in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2002 |
Net Devil
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Net Devil.
| Known Synonyms |
|---|
NetDevil |
Internal MISP references
UUID 2be434d3-03df-4236-9e7e-130c2efa8b33 which can be used as unique global reference for Net Devil in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2002 |
Related clusters
To see the related clusters, click here.
A4Zeta
Internal MISP references
UUID 9a0b6acf-e913-446a-a4cd-35eb9046febe which can be used as unique global reference for A4Zeta in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2002 |
Greek Hackers RAT
Internal MISP references
UUID 77e7ad24-3412-4536-ae4c-1971317f4231 which can be used as unique global reference for Greek Hackers RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2002 |
MRA RAT
Internal MISP references
UUID de4974d1-1a1b-4a67-835b-172ebbdcfafd which can be used as unique global reference for MRA RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2002 |
Sparta RAT
Internal MISP references
UUID c1086221-a498-4ec9-ac33-85e4790136ae which can be used as unique global reference for Sparta RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2002 |
LokiTech
Internal MISP references
UUID ff97af70-011c-4d7c-9ae6-1e41ea5dfc12 which can be used as unique global reference for LokiTech in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2003 |
MadRAT
Internal MISP references
UUID 5c65f5ec-c629-4d12-9078-08a4bb7522eb which can be used as unique global reference for MadRAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2002 |
Tequila Bandita
Internal MISP references
UUID 831879d3-5492-46b1-b174-491e6b413232 which can be used as unique global reference for Tequila Bandita in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2004 |
Toquito Bandito
Internal MISP references
UUID 79861bda-8c72-4b90-876e-854b9daf32eb which can be used as unique global reference for Toquito Bandito in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2004 |
MofoTro
MofoTro is a new rat coded by Cool_mofo_2.
Internal MISP references
UUID fa0a7929-3876-4866-9c01-a5d168379816 which can be used as unique global reference for MofoTro in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2006 |
Hav-RAT
Written in Delphi
Internal MISP references
UUID 3a2176f2-138d-4939-958c-70992abddca3 which can be used as unique global reference for Hav-RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2007 |
ComRAT
ComRAT is a remote access tool suspected of being a decedent of Agent.btz and used by Turla.
Internal MISP references
UUID 9223bf17-7e32-4833-9574-9ffd8c929765 which can be used as unique global reference for ComRAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2007 |
Related clusters
To see the related clusters, click here.
4H RAT
4H RAT is malware that has been used by Putter Panda since at least 2007.
Internal MISP references
UUID d8aad68d-a68f-42e1-b755-d5f383b73401 which can be used as unique global reference for 4H RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2007 |
Related clusters
To see the related clusters, click here.
Darknet RAT
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Darknet RAT.
| Known Synonyms |
|---|
Dark NET RAT |
Internal MISP references
UUID ba285e93-d330-4efc-ad00-a84433575e2c which can be used as unique global reference for Darknet RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2007 |
CIA RAT
Internal MISP references
UUID b82d0ec7-3918-4252-9c8f-b4d17b14c596 which can be used as unique global reference for CIA RAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2008 |
Minimo
Internal MISP references
UUID 71a72669-4d7b-49a5-95a3-bbefbb2152bf which can be used as unique global reference for Minimo in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2008 |
miniRAT
Internal MISP references
UUID 2b640955-05d4-46f7-9b34-c697f4e927e4 which can be used as unique global reference for miniRAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2008 |
Pain RAT
Internal MISP references
UUID 17958627-0c27-4536-8839-5c91d51866bc which can be used as unique global reference for Pain RAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2008 |
PlugX
PLUGX is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. It was utilized the same way as Poison Ivy, a RAT involved in a campaign dating back to 2008.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PlugX.
| Known Synonyms |
|---|
Korplug |
SOGU |
Scontroller |
Internal MISP references
UUID 663f8ef9-4c50-499a-b765-f377d23c1070 which can be used as unique global reference for PlugX in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2005 or 2008 |
Related clusters
To see the related clusters, click here.
UNITEDRAKE
The existence of the UNITEDRAKE RAT first came to light in 2014 as part of a series of classified documents leaked by former NSA contractor Edward Snowden.
Internal MISP references
UUID 41d4b98f-8ec2-4e8d-938c-42a776b422ee which can be used as unique global reference for UNITEDRAKE in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2008 |
MegaTrojan
Written in Visual Basic
Internal MISP references
UUID 4c053709-5349-4630-8462-dde28c8433eb which can be used as unique global reference for MegaTrojan in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2008 |
Venomous Ivy
Internal MISP references
UUID 9b5eb899-fc44-43f5-9a28-cdac4bc6a784 which can be used as unique global reference for Venomous Ivy in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2009 |
Xploit
Internal MISP references
UUID 286fc965-b019-49b1-937c-740b95a368bb which can be used as unique global reference for Xploit in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2010 |
Arctic R.A.T.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Arctic R.A.T..
| Known Synonyms |
|---|
Artic |
Internal MISP references
UUID 3ff21b18-8be5-45fd-9d42-d5ab9dddfa4c which can be used as unique global reference for Arctic R.A.T. in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2010 |
GOlden Phoenix
Internal MISP references
UUID 422ff7d4-0106-4e87-8eae-8cbd6c789540 which can be used as unique global reference for GOlden Phoenix in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2010 |
GraphicBooting
Internal MISP references
UUID 06b18c56-0894-4bca-a373-21e1576ddd7c which can be used as unique global reference for GraphicBooting in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2010 |
Pocket RAT
Internal MISP references
UUID 76313bca-2551-4f0c-b427-e413cbb728b0 which can be used as unique global reference for Pocket RAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2010 |
Erebus
Internal MISP references
UUID ee73e375-3ac2-4ce0-b24b-74fd82d52864 which can be used as unique global reference for Erebus in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2010 |
Related clusters
To see the related clusters, click here.
SharpEye
Internal MISP references
UUID c42394f8-5f35-4797-9393-8289ab8ad3ad which can be used as unique global reference for SharpEye in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2010 |
VorteX
Internal MISP references
UUID 58e2e2ee-5c25-4a13-abfc-2a6c85d978fa which can be used as unique global reference for VorteX in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2010 |
Archelaus Beta
Internal MISP references
UUID ccd38085-f3bc-4fb0-ae24-99a45964dd8e which can be used as unique global reference for Archelaus Beta in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2010 |
BlackHole
C# RAT (Remote Adminitration Tool) - Educational purposes only
Internal MISP references
UUID 2ea1f494-cf18-49fb-a043-36555131dd7c which can be used as unique global reference for BlackHole in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2011 |
Related clusters
To see the related clusters, click here.
Vanguard
Internal MISP references
UUID 9de3e8d7-c501-4926-a82f-6e147d66c06d which can be used as unique global reference for Vanguard in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2010 |
Ahtapod
Internal MISP references
UUID dd2c3283-095d-4895-85cd-6a01e0616968 which can be used as unique global reference for Ahtapod in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2011 |
FINSPY
Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage.
Internal MISP references
UUID 6ac125c8-6f00-490f-a43b-30b36d715431 which can be used as unique global reference for FINSPY in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2012 |
Related clusters
To see the related clusters, click here.
Seed RAT
Seed is a firewall bypass plus trojan, injects into default browser and has a simple purpose: to be compact (4kb server size) and useful while uploading bigger and full trojans, or even making Seed download them somewhere. Has computer info, process manager, file manager, with download, create folder, delete, execute and upload. And a remote download function. Everything with a easy to use interface, reminds an instant messenger.
Internal MISP references
UUID 4c0ec00c-7fd4-4d8b-b1c9-6a12035fe992 which can be used as unique global reference for Seed RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2004 or 2011 |
SharpBot
Internal MISP references
UUID 126d167b-c47e-42a5-91fa-5af157f6df30 which can be used as unique global reference for SharpBot in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2011 |
TorCT PHP RAT
Internal MISP references
UUID 14210ee4-e0bf-49f9-8d7a-13180dadda6b which can be used as unique global reference for TorCT PHP RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2012 |
A32s RAT
Internal MISP references
UUID 564dc473-e3a7-466b-afa0-591db218c05e which can be used as unique global reference for A32s RAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2012 |
Char0n
Internal MISP references
UUID 6faf9e5a-517f-4f7c-b720-7b7d537f65ef which can be used as unique global reference for Char0n in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2012 |
Nytro
Internal MISP references
UUID 25d23e76-72b1-4d47-9c80-9610a91e4945 which can be used as unique global reference for Nytro in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2012 |
Syla
Internal MISP references
UUID bcbe2297-5ebf-48fe-936c-6f850f23383c which can be used as unique global reference for Syla in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2012 |
Cobalt Strike
Cobalt Strike is software for Adversary Simulations and Red Team Operations.
Internal MISP references
UUID ca44dd5e-fd9e-48b5-99cb-0b2629b9265f which can be used as unique global reference for Cobalt Strike in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2012 |
Related clusters
To see the related clusters, click here.
Sakula
The RAT, which according to compile timestamps first surfaced in November 2012, has been used in targeted intrusions through 2015. Sakula enables an adversary to run interactive commands as well as to download and execute additional components.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sakula.
| Known Synonyms |
|---|
Sakurel |
VIPER |
Internal MISP references
UUID 3eca2d5f-41bf-4ad4-847f-df18befcdc44 which can be used as unique global reference for Sakula in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2012 |
Related clusters
To see the related clusters, click here.
hcdLoader
hcdLoader is a remote access tool (RAT) that has been used by APT18.
Internal MISP references
UUID 12bb8f4f-af29-49a0-8c2c-d28468f28fd8 which can be used as unique global reference for hcdLoader in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2012 |
Related clusters
To see the related clusters, click here.
Crimson
Internal MISP references
UUID 8d8efbc6-d1b7-4ec8-bab3-591edba337d0 which can be used as unique global reference for Crimson in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2012 |
Related clusters
To see the related clusters, click here.
KjW0rm
Internal MISP references
UUID a7bffc6a-5b47-410b-b039-def16050adcb which can be used as unique global reference for KjW0rm in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2013 |
Related clusters
To see the related clusters, click here.
Ghost
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ghost.
| Known Synonyms |
|---|
Ucul |
Internal MISP references
UUID 22f43398-47b2-4851-866a-b9ed0d355bf2 which can be used as unique global reference for Ghost in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2013 |
9002
Internal MISP references
UUID 21029a2d-85d7-40d0-9b87-8e8c414bf470 which can be used as unique global reference for 9002 in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2013 |
Sandro RAT
Internal MISP references
UUID ad630149-e7d4-4ca0-9877-ef37743d00a3 which can be used as unique global reference for Sandro RAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2014 |
Mega
Internal MISP references
UUID d0d7dc33-1c12-4a5a-b421-79f4761bd1b1 which can be used as unique global reference for Mega in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2014 |
WiRAT
Internal MISP references
UUID af66d0c1-15c9-4a0b-b0cc-4208914707e6 which can be used as unique global reference for WiRAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2014 |
3PARA RAT
Internal MISP references
UUID 59fb0222-0e7d-4f5f-92ac-e68012fb927d which can be used as unique global reference for 3PARA RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
BBS RAT
Internal MISP references
UUID 6e754ac7-0ffb-4510-9f70-4b74ab7bc868 which can be used as unique global reference for BBS RAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2014 |
Konni
KONNI is a remote access Trojan (RAT) that was first reported in May of 2017, but is believed to have been in use for over 3 years. As Part of our daily threat monitoring, FortiGuard Labs came across a new variant of the KONNI RAT and decided to take a deeper look.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Konni.
| Known Synonyms |
|---|
KONNI |
Internal MISP references
UUID 5b930a23-7d88-481f-8791-abc7b3dd93d2 which can be used as unique global reference for Konni in MISP communities and other software using the MISP galaxy
External references
- https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant - webarchive
- https://www.cylance.com/en_us/blog/threat-spotlight-konni-stealthy-remote-access-trojan.html - webarchive
- https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/ - webarchive
- http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html - webarchive
- https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/ - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
Felismus RAT
Used by Sowbug
Internal MISP references
UUID 1a35d040-1e0e-402b-8174-43e5c3c81922 which can be used as unique global reference for Felismus RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2014 |
Xsser
Xsser mRAT is a piece of malware that targets iOS devices that have software limitations removed. The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Xsser.
| Known Synonyms |
|---|
mRAT |
Internal MISP references
UUID b1abae3d-e1a1-4c50-a3b0-9509c594a600 which can be used as unique global reference for Xsser in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2014 |
GovRAT
GovRAT is an old cyberespionage tool, it has been in the wild since 2014 and it was used by various threat actors across the years.
Internal MISP references
UUID b6ddc2c6-5890-4c60-9b10-4274d1a9cc22 which can be used as unique global reference for GovRAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2015 |
Related clusters
To see the related clusters, click here.
Rottie3
Internal MISP references
UUID 2e44066e-bb4f-41f9-86d3-495f83df5195 which can be used as unique global reference for Rottie3 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2015 |
Killer RAT
Internal MISP references
UUID 983d5ac0-2e26-4793-8bab-fce33ae4e46d which can be used as unique global reference for Killer RAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2015 |
Hi-Zor
Internal MISP references
UUID d22a3e65-75e5-4970-b424-bdc06ec33dba which can be used as unique global reference for Hi-Zor in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2015 |
Related clusters
To see the related clusters, click here.
Quaverse
Quaverse RAT or QRAT is a fairly new Remote Access Tool (RAT) introduced in May 2015. This RAT is marketed as an undetectable Java RAT. As you might expect from a RAT, the tool is capable of grabbing passwords, key logging and browsing files on the victim's computer. On a regular basis for the past several months, we have observed the inclusion of QRAT in a number of spam campaigns.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Quaverse.
| Known Synonyms |
|---|
QRAT |
Internal MISP references
UUID 3d7cbe3f-ba90-46f7-89a2-21aa52871404 which can be used as unique global reference for Quaverse in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2015 |
Heseber
Internal MISP references
UUID 69d1f7e0-d7df-4e86-bec5-b7df696c5bcf which can be used as unique global reference for Heseber in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2015 |
Cardinal
Cardinal is a remote access trojan (RAT) discovered by Palo Alto Networks in 2017 and has been active for over two years. It is delivered via a downloader, known as Carp, and uses malicious macros in Microsoft Excel documents to compile embedded C# programming language source code into an executable that runs and deploys the Cardinal RAT. The malicious Excel files use different tactics to get the victims to execute it.
Internal MISP references
UUID cb23f563-a8b9-4427-9884-594e8d3cc836 which can be used as unique global reference for Cardinal in MISP communities and other software using the MISP galaxy
External references
- https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/ - webarchive
- https://www.scmagazine.com/cardinal-rats-unique-downloader-allowed-it-to-avoid-detection-for-years/article/651927/ - webarchive
- https://www.cyber.nj.gov/threat-profiles/trojan-variants/cardinal - webarchive
- https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/ - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2015 |
Related clusters
To see the related clusters, click here.
OmniRAT
Works on all Android, Windows, Linux and Mac devices!
Internal MISP references
UUID f091dfcb-07f4-4414-849e-c644e7327d94 which can be used as unique global reference for OmniRAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2015 |
Related clusters
To see the related clusters, click here.
Jfect
Internal MISP references
UUID 10193e70-8bb7-4e48-b8f0-7692f2052c89 which can be used as unique global reference for Jfect in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2015 |
Trochilus
Trochilus is a remote access trojan (RAT) first identified in October 2015 when attackers used it to infect visitors of a Myanmar website. It was then used in a 2016 cyber-espionage campaign, dubbed "the Seven Pointed Dagger," managed by another group, "Group 27," who also uses the PlugX trojan. Trochilus is primarily spread via emails with a malicious .RAR attachment containing the malware. The trojan's functionality includes a shellcode extension, remote uninstall, a file manager, and the ability to download and execute, upload and execute, and access the system information. Once present on a system, Trochilus can move laterally in the network for better access. This trojan operates in memory only and does not write to the disk, helping it evade detection.
Internal MISP references
UUID 8204723f-aefc-4c90-9178-8fe53e8d6f33 which can be used as unique global reference for Trochilus in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2015 |
Related clusters
To see the related clusters, click here.
Matryoshka
Their most commonly used initial attack vector is a simple, yet alarmingly effective, spearphishing attack, infecting unsuspecting victims via a malicious email attachment (usually an executable that has been disguised as something else). From there, Matryoshka runs second stage malware via a dropper and covertly installs a Remote Access Toolkit (RAT). This is done using a reflective loader technique that allows the malware to run in process memory, rather than being written to disk. This not only hides the install of the RAT but also ensures that the RAT will be ‘reinstalled’ after system restart.
Internal MISP references
UUID 33b86249-5455-4698-a5e5-0c9591e673b9 which can be used as unique global reference for Matryoshka in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2015 |
Related clusters
To see the related clusters, click here.
Mangit
First discovered by Trend Micro in June, Mangit is a new malware family being marketed on both the Dark web and open internet. Users have the option to rent the trojan's infrastructure for about $600 per 10-day period or buy the source code for about $8,800. Mangit was allegedly developed by "Ric", a Brazilian hacker, who makes himself available via Skype to discuss rental agreements. Once the malware is rented or purchased, the user controls a portion of the Mangit botnet, the trojan, the dropper, an auto-update system, and the server infrastructure to run their attacks. Mangit contains support for nine Brazillian banks including Citibank, HSBC, and Santander. The malware can also be used to steal user PayPal credentials. Mangit has the capability to collect banking credentials, receive SMS texts when a victim is accessing their bank account, and take over victim's browsers. To circumvent two-factor authentication, attackers can use Mangit to lock victim's browsers and push pop-ups to the victim asking for the verification code they just received.
Internal MISP references
UUID 05ecfb96-f9ec-4dab-b7d3-86b8cb3fe7b5 which can be used as unique global reference for Mangit in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2016 |
LeGeNd
Internal MISP references
UUID 20336460-828e-4f18-bbe6-14f3579b5f5a which can be used as unique global reference for LeGeNd in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2016 |
Revenge-RAT
Revenge v0.1 was a simple tool, according to a researcher known as Rui, who says the malware’s author didn’t bother obfuscating the RAT’s source code. This raised a question mark with the researchers, who couldn’t explain why VirusTotal scanners couldn’t pick it up as a threat right away.Revenge, which was written in Visual Basic, also didn’t feature too many working features, compared to similar RATs. Even Napolean admitted that his tool was still in the early development stages, a reason why he provided the RAT for free.
Internal MISP references
UUID 80c94c22-b294-4622-8934-e89a235d586f which can be used as unique global reference for Revenge-RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2016 |
vjw0rm 0.1
“Vengeance Justice Worm” was first discovered in 2016 and is a highly multifunctional, modular, publicly available “commodity malware”, i.e., it can be purchased by those interested through various cybercrime and hacking related forums and channels.
VJwOrm is a JavaScript-based malware and combines characteristics of Worm, Information Stealer, Remote-Access Trojan (RAT), Denial-of-Service (DOS) malware, and spam-bot.
VJw0rm is propagated primarily by malicious email attachments and by infecting removeable storage devices.
Once executed by the victim, the very heavily obfuscated VJw0rm will enumerate installed drives and, if a removeable drive is found, VJwOrm will infect it if configured to do so.
It will continue to gather victim information such as operating system details, user’s details, installed anti-virus product details, stored browser cookies, the presence of vbc.exe on the system (Microsoft’s .NET Visual Basic Compiler, this indicates that .NET is installed on the system and can affect the actor’s choice of additional malware delivery), and whether the system has been previously infected.
VJw0rm will then report this information back to its command-and-control server and await further commands, such as downloading and executing additional malware or employing any of its other numerous capabilities.
Finally, VJw0rm establishes persistency in the form of registry auto-runs, system startup folders, a scheduled-task, or any combination of these methods.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular vjw0rm 0.1.
| Known Synonyms |
|---|
VJw0rm |
VJwOrm |
Vengeance Justice Worm |
Internal MISP references
UUID bf86d7a6-80af-4d22-a092-f822bf7201d2 which can be used as unique global reference for vjw0rm 0.1 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2016 |
rokrat
ROKRAT is a remote access trojan (RAT) that leverages a malicious Hangual Word Processor (HWP) document sent in spearphishing emails to infect hosts. The HWP document contains an embedded Encapsulated PostScript (EPS) object. The object exploits an EPS buffer overflow vulnerability and downloads a binary disguised as a .JPG file. The file is then decoded and the ROKRAT executable is initiated. The trojan uses legitimate Twitter, Yandex, and Mediafire websites for its command and control communications and exfiltration platforms, making them difficult to block globally. Additionally, the platforms use HTTPS connections, making it more difficult to gather additional data on its activities. Cisco's Talos Group identified two email campaigns. In one, attackers send potential victims emails from an email server of a private university in Seoul, South Korea with a sender email address of "kgf2016@yonsei.ac.kr," the contact email for the Korea Global Forum, adding a sense of legitimacy to the email. It is likely that the email address was compromised and used by the attackers in this campaign. The second is less sophisticated and sends emails claiming to be from a free Korean mail service with a the subject line, "Request Help" and attached malicious HWP filename, "I'm a munchon person in Gangwon-do, North Korea." The ROKRAT developer uses several techniques to hinder analysis, including identifying tools usually used by malware analysts or within sandbox environments. Once it has infected a device, this trojan can execute commands, move a file, remove a file, kill a process, download and execute a file, upload documents, capture screenshots, and log keystrokes. Researchers believe the developer is a native Korean speaker and the campaign is currently targeting Korean-speakers.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular rokrat.
| Known Synonyms |
|---|
ROKRAT |
Internal MISP references
UUID 38e68703-1db4-4b97-80e9-a0afd099da58 which can be used as unique global reference for rokrat in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2016 |
Qarallax
Travelers applying for a US Visa in Switzerland were recently targeted by cyber-criminals linked to a malware called QRAT. Twitter user @hkashfi posted a Tweet saying that one of his friends received a file (US Travel Docs Information.jar) from someone posing as USTRAVELDOCS.COM support personnel using the Skype account ustravelidocs-switzerland (notice the “i” between “travel” and “docs”).
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Qarallax.
| Known Synonyms |
|---|
qrat |
Internal MISP references
UUID 179288c9-4ff1-4a7e-b728-35dd2e6aac43 which can be used as unique global reference for Qarallax in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2016 |
Related clusters
To see the related clusters, click here.
MoonWind
MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand.
Internal MISP references
UUID f266754c-d0aa-4918-95a3-73b28eaa66e3 which can be used as unique global reference for MoonWind in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2016 |
Related clusters
To see the related clusters, click here.
Remcos
Remcos is another RAT (Remote Administration Tool) that was first discovered being sold in hacking forums in the second half of 2016. Since then, it has been updated with more features, and just recently, we’ve seen its payload being distributed in the wild for the first time.
Internal MISP references
UUID f647cca0-7416-47e9-8342-94b84dd436cc which can be used as unique global reference for Remcos in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2016 |
Related clusters
To see the related clusters, click here.
Client Maximus
The purpose of the Client Maximus malware is financial fraud. As such, its code aspires to create the capabilities that most banking Trojans have, which allow attackers to monitor victims’ web navigation and interrupt online banking session at will. After taking over a victim’s banking session, an attacker operating this malware can initiate a fraudulent transaction from the account and use social engineering screens to manipulate the unwitting victim into authorizing it.
Internal MISP references
UUID d840e5af-3e6b-49af-ab82-fb4f8740bf55 which can be used as unique global reference for Client Maximus in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2016 |
Related clusters
To see the related clusters, click here.
TheFat RAT
Thefatrat a massive exploiting tool revealed >> An easy tool to generate backdoor and easy tool to post exploitation attack like browser attack,dll . This tool compiles a malware with popular payload and then the compiled malware can be execute on windows, android, mac . The malware that created with this tool also have an ability to bypass most…
Internal MISP references
UUID 90b4addc-e9ff-412d-899e-7204c89c0bdb which can be used as unique global reference for TheFat RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2016 |
RedLeaves
Since around October 2016, JPCERT/CC has been confirming information leakage and other damages caused by malware ‘RedLeaves’. It is a new type of malware which has been observed since 2016 in attachments to targeted emails.
Internal MISP references
UUID ad6a1b4a-6d79-40d4-adb7-1d7ca697347e which can be used as unique global reference for RedLeaves in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2016 |
Related clusters
To see the related clusters, click here.
Rurktar
Dubbed Rurktar, the tool hasn’t had all of its functionality implemented yet, but G DATA says “it is relatively safe to say [it] is intended for use in targeted spying operations.” The malicious program could be used for reconnaissance operations, as well as to spy on infected computers users, and steal or upload files.
Internal MISP references
UUID 40bce827-4049-46e4-8323-3ab58f0f00bc which can be used as unique global reference for Rurktar in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2017 |
Related clusters
To see the related clusters, click here.
RATAttack
RATAttack is a remote access trojan (RAT) that uses the Telegram protocol to support encrypted communication between the victim's machine and the attacker. The Telegram protocol also provides a simple method to communicate to the target, negating the need for port forwarding. Before using RATAttack, the attacker must create a Telegram bot and embed the bot's Telegram token into the trojan's configuration file. When a system is infected with RATAttack, it connects to the bot's Telegram channel. The attacker can then connect to the same channel and manage the RATAttack clients on the infected host machines. The trojan's code was available on GitHub then was taken down by the author on April 19, 2017.
Internal MISP references
UUID 2384b62d-312f-43e2-ab47-68c9fcca1541 which can be used as unique global reference for RATAttack in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2017 |
KhRAT
So called because the Command and Control (C2) infrastructure from previous variants of the malware was located in Cambodia, as discussed by Roland Dela Paz at Forecpoint here, KHRAT is a Trojan that registers victims using their infected machine’s username, system language and local IP address. KHRAT provides the threat actors typical RAT features and access to the victim system, including keylogging, screenshot capabilities, remote shell access and so on.
Internal MISP references
UUID 9da7b7b2-f514-4114-83c0-ce3a5f635d2e which can be used as unique global reference for KhRAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2017 |
RevCode
Internal MISP references
UUID 5a3463d3-ff2a-41e2-9186-55da8c88b349 which can be used as unique global reference for RevCode in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2017 |
AhNyth Android
Android Remote Administration Tool
Internal MISP references
UUID b1df2bb1-7fd4-4a25-93c3-fe1f2c7cf529 which can be used as unique global reference for AhNyth Android in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2017 |
Socket23
SOCKET23 was launched from his web site and immedi- ately infected major French corporations between August and October 1998. The virus (distributing the Trojan) was known as W32/HLLP.DeTroie.A (alias W32/Cheval.TCV). Never had a virus so disrupted French industry. The author quickly offered his own remover and made his apologies on his web site (now suppressed). Jean-Christophe X (18) was arrested on Tuesday 15 June 1999 in the Paris area and placed under judicial investigation for ‘fraudulent intrusion of data in a data processing system, suppression and fraudulent modification of data’
Internal MISP references
UUID da7c818f-5f3b-415c-b885-cf0a71d6e89e which can be used as unique global reference for Socket23 in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 1998 |
PowerRAT
Internal MISP references
UUID b3620451-8871-4078-bbf9-aa5bab641299 which can be used as unique global reference for PowerRAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2017 |
MacSpy
Standard macOS backdoor, offered via a 'malware-as-a-service' model. MacSpy is advertised as the "most sophisticated Mac spyware ever", with the low starting price of free. While the idea of malware-as-a-service (MaaS) isn’t a new one with players such as Tox and Shark the game, it can be said that MacSpy is one of the first seen for the OS X platform.
Internal MISP references
UUID b7cea5fe-d3fe-47cf-ba82-104c90e130ff which can be used as unique global reference for MacSpy in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2017 |
Related clusters
To see the related clusters, click here.
DNSMessenger
Talos recently analyzed an interesting malware sample that made use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker. This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection.
Internal MISP references
UUID ee8ccb36-2596-43a3-a044-b8721dbeb2ab which can be used as unique global reference for DNSMessenger in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2017 |
Related clusters
To see the related clusters, click here.
PentagonRAT
Internal MISP references
UUID d208daa3-6ecd-4faf-8492-04f7b5b2dd28 which can be used as unique global reference for PentagonRAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2017 |
NewCore
NewCore is a remote access trojan first discovered by Fortinet researchers while conducting analysis on a China-linked APT campaign targeting Vietnamese organizations. The trojan is a DLL file, executed after a trojan downloader is installed on the targeted machine. Based on strings in the code, the trojan may be compiled from the publicly-available source code of the PcClient and PcCortr backdoor trojans.
Internal MISP references
UUID 6a505bfc-87fe-4bd2-97d7-394a3c29611d which can be used as unique global reference for NewCore in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2017 |
Deeper RAT
Internal MISP references
UUID d7739c15-07af-4cfd-9eea-a28ed90cbfa5 which can be used as unique global reference for Deeper RAT in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2010 |
Xyligan
Internal MISP references
UUID 0a75f34a-eaca-4ed8-b2f2-3f713c7a0693 which can be used as unique global reference for Xyligan in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2012 |
H-w0rm
Internal MISP references
UUID ca6e2e9b-6b5a-447b-9561-295c807a6484 which can be used as unique global reference for H-w0rm in MISP communities and other software using the MISP galaxy
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2013 |
htpRAT
On November 8, 2016 a non-disclosed entity in Laos was spear-phished by a group closely related to known Chinese adversaries and most likely affiliated with the Chinese government. The attackers utilized a new kind of Remote Access Trojan (RAT) that has not been previously observed or reported. The new RAT extends the capabilities of traditional RATs by providing complete remote execution of custom commands and programming. htpRAT, uncovered by RiskIQ cyber investigators, is the newest weapon in the Chinese adversary’s arsenal in a campaign against Association of Southeast Asian Nations (ASEAN). Most RATs can log keystrokes, take screenshots, record audio and video from a webcam or microphone, install and uninstall programs and manage files. They support a fixed set of commands operators can execute using different command IDs —’file download’ or ‘file upload,’ for example—and must be completely rebuilt to have different functionality. htpRAT, on the other hand, serves as a conduit for operators to do their job with greater precision and effect. On the Command and Control (C2) server side, threat actors can build new functionality in commands, which can be sent to the malware to execute. This capability makes htpRAT a small, agile, and incredibly dynamic piece of malware. Operators can change functionality, such as searching for a different file on the victim’s network, simply by wrapping commands.
Internal MISP references
UUID 7362581a-a7d1-4060-b225-e227f2df2b60 which can be used as unique global reference for htpRAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
FALLCHILL
According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.
Internal MISP references
UUID e0bea149-2def-484f-b658-f782a4f94815 which can be used as unique global reference for FALLCHILL in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
UBoatRAT
Alto Networks Unit 42 has identified attacks with a new custom Remote Access Trojan (RAT) called UBoatRAT. The initial version of the RAT, found in May of 2017, was simple HTTP backdoor that uses a public blog service in Hong Kong and a compromised web server in Japan for command and control. The developer soon added various new features to the code and released an updated version in June. The attacks with the latest variants we found in September have following characteristics. Targets personnel or organizations related to South Korea or video games industry Distributes malware through Google Drive Obtains C2 address from GitHub Uses Microsoft Windows Background Intelligent Transfer Service(BITS) to maintain persistence.
Internal MISP references
UUID 03694200-80c2-433d-9797-09eafcad1075 which can be used as unique global reference for UBoatRAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
CrossRat
The EFF/Lookout report describes CrossRat as a “newly discovered desktop surveillanceware tool…which is able to target Windows, OSX, and Linux.”
Internal MISP references
UUID 696125b9-7a91-463a-9e6b-b4fc381b8833 which can be used as unique global reference for CrossRat in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
TSCookieRAT
TSCookie provides parameters such as C&C server information when loading TSCookieRAT. Upon the execution, information of the infected host is sent with HTTP POST request to an external server. (The HTTP header format is the same as TSCookie.) The data is RC4-encrypted from the beginning to 0x14 (the key is Date header value), which is followed by the information of the infected host (host name, user name, OS version, etc.). Please refer to Appendix C, Table C-1 for the data format.
Internal MISP references
UUID 7b107b46-4eca-11e8-b89f-0366ae765ddd which can be used as unique global reference for TSCookieRAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Coldroot
Coldroot, a remote access trojan (RAT), is still undetectable by most antivirus engines, despite being uploaded and freely available on GitHub for almost two years. The RAT appears to have been created as a joke, "to Play with Mac users," and "give Mac it's rights in this [the RAT] field," but has since expanded to work all three major desktop operating systems — Linux, macOS, and Windows— according to a screenshot of its builder extracted from a promotional YouTube video.
Internal MISP references
UUID 86f1f048-4eca-11e8-a08e-7708666ace6e which can be used as unique global reference for Coldroot in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Comnie
Comnie is a RAT originally identified by Sophos. It has been using Github, Tumbler and Blogspot as covert channels for its C2 communications. Comnie has been observed targetting government, defense, aerospace, high-tech and telecommunication sectors in Asia.
Internal MISP references
UUID d14806fe-4ecb-11e8-a120-ff726de6a4d3 which can be used as unique global reference for Comnie in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
GravityRAT
GravityRAT has been under ongoing development for at least 18 months, during which the developer has implemented new features. We've seen file exfiltration, remote command execution capability and anti-vm techniques added throughout the life of GravityRAT. This consistent evolution beyond standard remote code execution is concerning because it shows determination and innovation by the actor.
Internal MISP references
UUID 2d356870-4ecd-11e8-9bb8-e3ba5aa7da31 which can be used as unique global reference for GravityRAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
ARS VBS Loader
ARS VBS Loader not only downloads and executes malicious code, but also includes a command and control application written in PHP that allows a botmaster to issue commands to a victim's machine. This behavior likens ARS VBS Loader to a remote access Trojan (RAT), giving it behavior and capabilities rarely seen in malicious "loaders".
Internal MISP references
UUID cd6527d1-17a7-4825-8b4b-56e113d0efb1 which can be used as unique global reference for ARS VBS Loader in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
RadRAT
RadRAT, its capabilities include: unfettered control of the compromised computer, lateral movement across the organization (Mimikatz-like credentials harvesting, NTLM hash harvesting from the Windows registry and implementation of the Pass-the-Hash attack on SMB connections) and rootkit-like detection-evasion mechanisms.
Internal MISP references
UUID 5a3df9d7-82de-445e-a218-406b970600d7 which can be used as unique global reference for RadRAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
FlawedAmmyy
FlawedAmmyy, has been used since the beginning of 2016 in both highly targeted email attacks as well as massive, multi-million message campaigns. The RAT is based on leaked source code for Version 3 of the Ammyy Admin remote desktop software. As such FlawedAmmyy contains the functionality of the leaked version, including: Remote Desktop control, File system manager, Proxy support, Audio Chat.
Internal MISP references
UUID 3c1003a2-8364-467a-b9b8-fcc19724a9b5 which can be used as unique global reference for FlawedAmmyy in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
Spymaster Pro
Monitoring Software
Internal MISP references
UUID e9f9d900-4f9a-11e8-bce9-4bfbb0e9ab4c which can be used as unique global reference for Spymaster Pro in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
NavRAT
Classic RAT that can download, upload, execute commands on the victim host and perform keylogging. However, the command and control (C2) infrastructure is very specific. It uses the legitimate Naver email platform in order to communicate with the attackers via email
Internal MISP references
UUID 6ea032a0-d54a-463b-b016-2b7b9b9a5b7e which can be used as unique global reference for NavRAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
joanap
Joanap is a two-stage malware used to establish peer-to-peer communications and to manage botnets designed to enable other operations. Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device.
Internal MISP references
UUID caac1aa2-6982-11e8-8107-a331ae3511e7 which can be used as unique global reference for joanap in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Sisfader
Sisfader maintains persistence installing itself as a system service, it is made up of multiple components ([1] Dropper - installing the malware, [2] Agent - main code of the RAT, [3] Config - written to the registry, [4] Auto Loader - responsible for extracting the Agent, the Config from the registry) and it has its own custom protocol for communication.
Internal MISP references
UUID b533439d-b060-4c90-80e0-9dce67b0c6fb which can be used as unique global reference for Sisfader in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
SocketPlayer
The RAT is written in .NET, it uses socket.io for communication. Currently there are two variants of the malware, the 1st variant is a typical downloader whereas the 2nd one has download and C2 functionalities.
Internal MISP references
UUID d9475765-2cea-45c0-b638-a082b9427239 which can be used as unique global reference for SocketPlayer in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Hallaj PRO RAT
RAT
Internal MISP references
UUID f6447046-f4e8-4977-9cc3-edee74ff0038 which can be used as unique global reference for Hallaj PRO RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
NukeSped
This threat can install other malware on your PC, including Trojan:Win32/NukeSped.B!dha and Trojan:Win32/NukeSped.C!dha. It can show you a warning message that says your files will be made publically available if you don't follow the malicious hacker's commands.
Internal MISP references
UUID 5d0369ee-c718-11e8-b328-035ed1bdca07 which can be used as unique global reference for NukeSped in MISP communities and other software using the MISP galaxy
External references
- https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~NukeSped-Z.aspx - webarchive
- https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win64/NukeSped&ThreatID=-2147238204 - webarchive
- https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/NukeSped!bit&ThreatID=-2147238152 - webarchive
- https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/NukeSped - webarchive
- https://malwarefixes.com/threats/win32nukesped/ - webarchive
- https://www.alienvault.com/forums/discussion/17301/alienvault-labs-threat-intelligence-update-for-usm-anywhere-march-25-march-31-2018 - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
TheOneSpy
Remotely monitor and control any wrong activity of kids on all smartphones & computers
Internal MISP references
UUID da5feaef-d96f-46e2-aad7-bd2745801048 which can be used as unique global reference for TheOneSpy in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
BONDUPDATER
BONDUPDATER is a PowerShell-based Trojan first discovered by FireEye in mid-November 2017, when OilRig targeted a different Middle Eastern governmental organization. The BONDUPDATER Trojan contains basic backdoor functionality, allowing threat actors to upload and download files, as well as the ability to execute commands. BONDUPDATER, like other OilRig tools, uses DNS tunneling to communicate with its C2 server. During the past month, Unit 42 observed several attacks against a Middle Eastern government leveraging an updated version of the BONDUPDATER malware, which now includes the ability to use TXT records within its DNS tunneling protocol for its C2 communications.
Internal MISP references
UUID ef9f1592-0186-4f5d-a8ea-6c10450d2219 which can be used as unique global reference for BONDUPDATER in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
FlawedGrace
Proofpoint also point out that FlawedGrace is a full-featured RAT written in C++ and that it is a very large program that "extensive use of object-oriented and multithreaded programming techniques. "As a consequence, getting familiar with its internal structure takes a lot of time and is far from a simple task.
Internal MISP references
UUID 428c8288-6f65-453f-bfa2-4b519d08f8e9 which can be used as unique global reference for FlawedGrace in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
H-worm
H-worm is a VBS (Visual Basic Script) based RAT written by an individual going by the name Houdini. We believe the author is based in Algeria and has connections to njq8, the author of njw0rm [1] and njRAT/LV [2] through means of a shared or common code base. We have seen the H-worm RAT being employed in targeted attacks against the international energy industry; however, we also see it being employed in a wider context as run of the mill attacks through spammed email attachments and malicious links.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular H-worm.
| Known Synonyms |
|---|
Dunihi |
Houdini |
WSHRat |
Internal MISP references
UUID 1b6a067b-50b9-4aa7-a49b-823e94e210fe which can be used as unique global reference for H-worm in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
Parasite-HTTP-RAT
The RAT, dubbed Parasite HTTP, is especially notable for the extensive array of techniques it incorporates for sandbox detection, anti-debugging, anti-emulation, and other protections. The malware is also modular in nature, allowing actors to add new capabilities as they become available or download additional modules post infection.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Parasite-HTTP-RAT.
| Known Synonyms |
|---|
Parasite HTTP |
Internal MISP references
UUID 1b6a067c-50ba-4aa7-a59b-824e94e210fe which can be used as unique global reference for Parasite-HTTP-RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Caesar RAT
Caesar is an HTTP-based RAT that allows you to remotely control devices directly from your browser.
Internal MISP references
UUID 1b6a066c-50ba-4aa6-a49b-823e94e110fe which can be used as unique global reference for Caesar RAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
FlawedAmmy
During the month of October, Check Point researchers discovered a widespread malware campaign spreading a remote access trojan (dubbed “FlawedAmmy”) that allows attackers to take over victims’ computers and data. The campaign was the latest and most widespread delivering the ‘FlawedAmmyy’ RAT, following a number of campaigns that have spread this malware in recent months. The Trojan allows attackers to gain full access to the machine’s camera and microphone, collect screen grabs, steal credentials and sensitive files, and intrusively monitor the victims’ actions. As a result, FlawedAmmy is the first RAT to enter the Global Threat Index’s top 10 ranking.
Internal MISP references
UUID 4b9b99f0-9c2d-4db5-aaff-09de88509c04 which can be used as unique global reference for FlawedAmmy in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Felipe
The Zscaler ThreatLabZ team came across a new strain of infostealer Trojan called Felipe, which silently installs itself onto a user’s system and connects to a command-and-control (C&C) server to send system information from the compromised system. This malware is compiled for both 32-bit and 64-bit Windows operating systems. Felipe basically steals the victim's debit and credit card information and sends it, along with other personal information, to the remote C&C server. It also sets a date and time to perform other malicious activity upon successful infection of the victim machine.
Internal MISP references
UUID 0f117f50-9657-11e9-8e2b-83e391e0ce57 which can be used as unique global reference for Felipe in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Amavaldo Banking Trojan
Amavaldo is banking trojan writen in Delphi and known to targeting Spanish or Portuguese speaking countries. It contains backdoor functionality and can work as multi stage. Amavaldo also abuses legitimate tools and softwares
Internal MISP references
UUID 39c65b1d-7799-43d6-a963-4a058b1c756e which can be used as unique global reference for Amavaldo Banking Trojan in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
| date | 2019 |
AsyncRAT
Open-Source Remote Administration Tool For Windows C# (RAT)
Internal MISP references
UUID 1b6a065c-40ba-4aa5-a46b-813e74e010fe which can be used as unique global reference for AsyncRAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
InnfiRAT
new RAT called InnfiRAT, which is written in .NET and designed to perform specific tasks from an infected machine
Internal MISP references
UUID 1b4a085c-30bb-5aa5-b46a-803e94e010ff which can be used as unique global reference for InnfiRAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
KeyBase
In the wild since February 2015. The malware comes equipped with a variety of features and can be purchased for $50 directly from the author. It has been deployed in attacks against organizations across many industries and is predominantly delivered via phishing emails.
Internal MISP references
UUID b3cfd21f-b637-42ff-b118-2803630b718a which can be used as unique global reference for KeyBase in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Warzone
Apparently existing since 2018
Internal MISP references
UUID bbff39cb-a12b-4b18-be20-aa9e6d378fa6 which can be used as unique global reference for Warzone in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
SDBbot
SDBbot is a new remote access Trojan (RAT) written in C++ that has been delivered by the Get2 downloader in recent TA505 campaigns. Its name is derived from the debugging log file (sdb.log.txt) and DLL name (BotDLL[.]dll) used in the initial analyzed sample. It also makes use of application shimming [1] for persistence. SDBbot is composed of three pieces: an installer, a loader, and a RAT component.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SDBbot.
| Known Synonyms |
|---|
SDB bot |
Internal MISP references
UUID 9d36db93-7d60-4da6-a611-1a32e02a054f which can be used as unique global reference for SDBbot in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Sepulcher
A China-based APT has been sending organizations spear-phishing emails that distribute a never-before-seen intelligence-collecting RAT dubbed Sepulcher.
Researchers discovered the new malware being distributed over the past six months through two separate campaigns. The first, in March, targeted European diplomatic and legislative bodies, non-profit policy research organizations and global organizations dealing with economic affairs. The second, in July, targeted Tibetan dissidents. They tied the campaigns to APT group TA413, which researchers say has been associated with Chinese state interests and is known for targeting the Tibetan community.
“Based on the use of publicly known sender addresses associated with Tibetan dissident targeting and the delivery of Sepulcher malware payloads, [we] have attributed both campaigns to the APT actor TA413,” said Proofpoint researchers in a Wednesday analysis. “The usage of publicly known Tibetan-themed sender accounts to deliver Sepulcher malware demonstrates a short-term realignment of TA413’s targets of interest.”
Internal MISP references
UUID d0ed7527-cd1b-4b05-bbac-2e409ca46104 which can be used as unique global reference for Sepulcher in MISP communities and other software using the MISP galaxy
External references
- https://www.enigmasoftware.fr/logicielmalveillantsepulcher-supprimer/ - webarchive
- https://threatpost.com/chinese-apt-sepulcher-malware-phishing-attacks/158871/ - webarchive
- https://malpedia.caad.fkie.fraunhofer.de/details/win.sepulcher - webarchive
- https://cyware.com/news/chinese-apt-ta413-found-distributing-sepulcher-malware-176a0969 - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
Guildma
The campaign spreads via phishing emails posing as invoices, tax reports, invitations and similar types of messages containing a ZIP archive attachment with a malicious LNK file. When a user opens the malicious LNK file, it abuses the Windows Management Instrumentation Command-line tool and silently downloads a malicious XSL file. The XSL file downloads all of Guildma’s modules and executes a first stage loader, which loads the rest of the modules. The malware is then active and waits for commands from the C&C server and/or specific user interactions, such as opening a webpage of one of the targeted banks.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Guildma.
| Known Synonyms |
|---|
Astaroth |
Internal MISP references
UUID 833ed94d-97c1-4b57-9634-c27bf42eb867 which can be used as unique global reference for Guildma in MISP communities and other software using the MISP galaxy
External references
- https://www.securityweek.com/guildma-malware-expands-targets-beyond-brazil - webarchive
- https://www.securityweek.com/extensive-living-land-hides-stealthy-malware-campaign - webarchive
- https://isc.sans.edu/diary/rss/28962 - webarchive
- https://otx.alienvault.com/pulse/6303804723bccc7e3caad737?utm_userid=alexandre.dulaunoy@circl.lu&utm_medium=InProduct&utm_source=OTX&utm_content=Email&utm_campaign=new_pulse_from_subscribed - webarchive
Associated metadata
| Metadata key | Value |
|---|---|
Milan
Milan is a 32-bit RAT written in Visual C++ and .NET. Milan is loaded and persists using tasks. An encoded routine waits for three to four seconds between executing the first task, deleting this task, and setting a second scheduled task for persistence.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Milan.
| Known Synonyms |
|---|
James |
Internal MISP references
UUID a5e5a48a-5ce7-45f0-97d7-517d7f37b4ce which can be used as unique global reference for Milan in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
DarkWatchman
In late November, Prevailion’s Adversarial Counterintelligence Team (PACT) identified what appeared to be a malicious javascript-based Remote Access Trojan (RAT) that uses a robust Domain Generation Algorithm (DGA) to identify its Command and Control (C2) infrastructure and that utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation. This RAT, which PACT refers to by its internal codename “DarkWatchman”, has been observed being distributed by email and represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools. PACT has reverse engineered the DGA, dynamically analyzed the malware, investigated the Threat Actor’s (TA) web-based infrastructure, and consolidated the results of our analysis into the following report.
Internal MISP references
UUID 35198ca6-6f8d-49cd-be1b-65f21b2e7e00 which can be used as unique global reference for DarkWatchman in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Ragnatela
Malwarebytes Lab identified a new variant of the BADNEWS RAT called Ragnatela. It is being distributed via spear phishing emails to targets of interest in Pakistan. Ragnatela, which means spider web in Italian, is also the project name and panel used by Patchwork APT. Ironically, the threat actor infected themselves with their own RAT.
Internal MISP references
UUID e79cb167-6639-46a3-9646-b12535aa21b6 which can be used as unique global reference for Ragnatela in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
STRRAT
STRRAT is a Java-based RAT with a JavaScript wrapper/dropper that was discovered in 2020. Its core payload (a .JAR file) is contained under several layers of obfuscation and encoding inside the JavaScript wrapper/dropper.
STRRAT is propagated by malicious email attachments. Its capabilities include standard RAT functionalities (remote access, remote command execution), browser and email-client credential harvesting, and a unique ransomware-like functionality – if instructed, it will add a “.crimson” extension to files on the device, rendering them inoperable (though they can be easily recovered because their content is not modified).
Unlike many Java-based malware, STRRAT does not require Java to be installed on the infected system in order to operate. When the JavaScript wrapper/dropper is executed, if a suitable Java runtime installation is not found, one will be downloaded and installed in order to assure the contained Java payload can execute.
Internal MISP references
UUID b30cb6f4-1e0a-4a97-8d88-ca38f83b4422 which can be used as unique global reference for STRRAT in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
COATHANGER
Chinese FortiGate RAT. The COATHANGER malware is a remote access trojan (RAT) designed specifically for Fortigate appliances. It is used as second-stage malware, and does not exploit a new vulnerability. Intelligence services MIVD & AIVD refer to the malware as COATHANGER based on a string present in the code./nThe COATHANGER malware is stealthy and persistent. It hides itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades./nMIVD & AIVD assess with high confidence that the malicious activity was conducted by a state-sponsored actor from the People’s Republic of China. This is part of a wider trend of Chinese political espionage against the Netherlands and its allies./nMIVD & AIVD assess that use of COATHANGER may be relatively targeted. The Chinese threat actor(s) scan for vulnerable edge devices at scale and gain access opportunistically, and likely introduce COATHANGER as a communication channel for select victims.
Internal MISP references
UUID c04e9738-de62-43e4-b645-2e308c1f77f7 which can be used as unique global reference for COATHANGER in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|