misp-galaxy/clusters/mitre-malware.json

30955 lines
1,003 KiB
JSON
Raw Normal View History

2017-08-16 10:17:00 +00:00
{
2017-10-26 08:28:53 +00:00
"authors": [
"MITRE"
],
2018-10-19 08:23:09 +00:00
"category": "tool",
2017-10-26 08:28:53 +00:00
"description": "Name of ATT&CK software",
"name": "Malware",
"source": "https://github.com/mitre/cti",
"type": "mitre-malware",
"uuid": "d752161c-78f6-11e7-a0ea-bfa79b407ce4",
2017-10-26 08:28:53 +00:00
"values": [
{
"description": "[Hacking Team UEFI Rootkit](https://attack.mitre.org/software/S0047) is a rootkit developed by the company Hacking Team as a method of persistence for remote access software. (Citation: TrendMicro Hacking Team UEFI)",
2017-10-26 08:28:53 +00:00
"meta": {
"external_id": "S0047",
2017-10-26 08:28:53 +00:00
"refs": [
"https://attack.mitre.org/software/S0047",
"http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/"
2017-10-26 08:28:53 +00:00
],
"synonyms": [
"Hacking Team UEFI Rootkit"
]
2017-10-26 08:28:53 +00:00
},
"related": [
{
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
}
],
"uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8",
"value": "Hacking Team UEFI Rootkit - S0047"
2017-10-26 08:28:53 +00:00
},
{
"description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the [CHOPSTICK](https://attack.mitre.org/software/S0023).",
2017-10-26 08:28:53 +00:00
"meta": {
"external_id": "S0314",
"mitre_platforms": [
"Android"
],
2017-10-26 08:28:53 +00:00
"refs": [
"https://attack.mitre.org/software/S0314",
"https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"
2017-10-26 08:28:53 +00:00
],
"synonyms": [
"X-Agent for Android"
]
2017-10-26 08:28:53 +00:00
},
2018-10-12 09:00:00 +00:00
"related": [
{
"dest-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "0a32ceea-fa66-47ab-8bde-150dbd6d2e40",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3e2c99f9-66cd-48be-86e9-d7c1c164d87c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "56660521-6db4-4e5a-a927-464f22954b7c",
"value": "X-Agent for Android - S0314"
},
{
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) is the Android version of malware that has reportedly been linked to the NSO Group. (Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor) The iOS version is tracked separately under [Pegasus for iOS](https://attack.mitre.org/software/S0289).",
"meta": {
"external_id": "S0316",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0316",
"https://blog.lookout.com/blog/2017/04/03/pegasus-android/",
"https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html"
],
"synonyms": [
"Pegasus for Android",
"Chrysaor"
]
},
"related": [
{
"dest-uuid": "9d7c772b-43f1-49cf-bc70-7a7cd2ed34c8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62adb627-f647-498e-b4cc-41499361bacb",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "93799a9d-3537-43d8-b6f4-17215de1657c",
"value": "Pegasus for Android - S0316"
2017-10-26 08:28:53 +00:00
},
{
"description": "[Android Overlay Malware](https://attack.mitre.org/software/S0296) is malware that was used in a 2016 campaign targeting European countries. The malware attempted to trick users into providing banking credentials. (Citation: FireEye-AndroidOverlay)",
2017-10-26 08:28:53 +00:00
"meta": {
"external_id": "S0296",
"mitre_platforms": [
"Android"
],
2017-10-26 08:28:53 +00:00
"refs": [
"https://attack.mitre.org/software/S0296",
"https://www.fireeye.com/blog/threat-research/2016/06/latest-android-overlay-malware-spreading-in-europe.html"
],
"synonyms": [
"Android Overlay Malware"
]
2017-10-26 08:28:53 +00:00
},
"related": [
{
"dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b6d3657a-2d6a-400f-8b7e-4d60391aa1f7",
"value": "Android Overlay Malware - S0296"
2017-10-26 08:28:53 +00:00
},
{
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims. (Citation: Lookout-Pegasus) (Citation: PegasusCitizenLab) The Android version is tracked separately under [Pegasus for Android](https://attack.mitre.org/software/S0316).",
2017-10-26 08:28:53 +00:00
"meta": {
"external_id": "S0289",
"mitre_platforms": [
"iOS"
],
2017-10-26 08:28:53 +00:00
"refs": [
"https://attack.mitre.org/software/S0289",
"https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf",
"https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/"
2017-10-26 08:28:53 +00:00
],
"synonyms": [
"Pegasus for iOS"
]
2017-10-26 08:28:53 +00:00
},
2018-10-12 09:00:00 +00:00
"related": [
{
"dest-uuid": "9d7c772b-43f1-49cf-bc70-7a7cd2ed34c8",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
2018-10-12 09:00:00 +00:00
{
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
2018-10-12 09:00:00 +00:00
}
],
"uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a",
"value": "Pegasus for iOS - S0289"
2017-10-26 08:28:53 +00:00
},
{
"description": "[gh0st RAT](https://attack.mitre.org/software/S0032) is a remote access tool (RAT). The source code is public and it has been used by multiple groups. (Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb 2018)(Citation: Nccgroup Gh0st April 2018)",
"meta": {
"external_id": "S0032",
"mitre_platforms": [
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0032",
"https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html",
"https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/",
"https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/april/decoding-network-data-from-a-gh0st-rat-variant/"
],
"synonyms": [
"gh0st RAT"
]
},
"related": [
{
"dest-uuid": "1b1ae63f-bcee-4aba-8994-6c60cee5e16f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24",
"value": "gh0st RAT - S0032"
},
{
"description": "[China Chopper](https://attack.mitre.org/software/S0020) is a [Web Shell](https://attack.mitre.org/techniques/T1100) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. (Citation: Lee 2013) It has been used by several threat groups. (Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018)",
2017-10-26 08:28:53 +00:00
"meta": {
"external_id": "S0020",
"mitre_platforms": [
"Windows"
],
2017-10-26 08:28:53 +00:00
"refs": [
"https://attack.mitre.org/software/S0020",
"https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html",
"https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage",
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"
2017-10-26 08:28:53 +00:00
],
"synonyms": [
"China Chopper"
]
2017-10-26 08:28:53 +00:00
},
"related": [
{
"dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70",
"value": "China Chopper - S0020"
2017-10-26 08:28:53 +00:00
},
{
"description": "[Skeleton Key](https://attack.mitre.org/software/S0007) is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password. (Citation: Dell Skeleton) Functionality similar to [Skeleton Key](https://attack.mitre.org/software/S0007) is included as a module in [Mimikatz](https://attack.mitre.org/software/S0002).",
2017-10-26 08:28:53 +00:00
"meta": {
"external_id": "S0007",
"mitre_platforms": [
"Windows"
],
2017-10-26 08:28:53 +00:00
"refs": [
"https://attack.mitre.org/software/S0007",
"https://www.secureworks.com/research/skeleton-key-malware-analysis"
2017-10-26 08:28:53 +00:00
],
"synonyms": [
"Skeleton Key"
]
2017-10-26 08:28:53 +00:00
},
"related": [
{
"dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "89f63ae4-f229-4a5c-95ad-6f22ed2b5c49",
"value": "Skeleton Key - S0007"
2017-10-26 08:28:53 +00:00
},
{
"description": "[P2P ZeuS](https://attack.mitre.org/software/S0016) is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture. (Citation: Dell P2P ZeuS)",
2017-10-26 08:28:53 +00:00
"meta": {
"external_id": "S0016",
"mitre_platforms": [
"Windows"
2017-10-26 08:28:53 +00:00
],
"refs": [
"https://attack.mitre.org/software/S0016",
"http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover_ZeuS/"
2017-10-26 08:28:53 +00:00
],
"synonyms": [
"P2P ZeuS",
"Peer-to-Peer ZeuS",
"Gameover ZeuS"
]
2017-10-26 08:28:53 +00:00
},
"related": [
{
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
}
],
"uuid": "b2c5d3ca-b43a-4888-ad8d-e2d43497bf85",
"value": "P2P ZeuS - S0016"
2017-10-26 08:28:53 +00:00
},
{
"description": "[Unknown Logger](https://attack.mitre.org/software/S0130) is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign. (Citation: Forcepoint Monsoon)",
2017-10-26 08:28:53 +00:00
"meta": {
"external_id": "S0130",
"mitre_platforms": [
"Windows"
2017-10-26 08:28:53 +00:00
],
"refs": [
"https://attack.mitre.org/software/S0130",
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
2017-10-26 08:28:53 +00:00
],
"synonyms": [
"Unknown Logger"
]
},
"related": [
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56",
"value": "Unknown Logger - S0130"
},
{
"description": "[Cherry Picker](https://attack.mitre.org/software/S0107) is a point of sale (PoS) memory scraper. (Citation: Trustwave Cherry Picker)",
"meta": {
"external_id": "S0107",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0107",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/"
],
"synonyms": [
"Cherry Picker"
]
2017-10-26 08:28:53 +00:00
},
"related": [
{
"dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
2018-10-12 09:00:00 +00:00
},
{
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
}
],
"uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe",
"value": "Cherry Picker - S0107"
2017-10-26 08:28:53 +00:00
},
{
"description": "[Zeus Panda](https://attack.mitre.org/software/S0330) is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. [Zeus Panda](https://attack.mitre.org/software/S0330)s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)",
2017-10-26 08:28:53 +00:00
"meta": {
"external_id": "S0330",
"mitre_platforms": [
"Windows"
],
2017-10-26 08:28:53 +00:00
"refs": [
"https://attack.mitre.org/software/S0330",
"https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html#More",
"https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf"
2017-10-26 08:28:53 +00:00
],
"synonyms": [
"Zeus Panda"
]
2017-10-26 08:28:53 +00:00
},
"related": [
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
2018-10-12 09:00:00 +00:00
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
2018-10-12 09:00:00 +00:00
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
2018-10-12 09:00:00 +00:00
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
2018-10-12 09:00:00 +00:00
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
2018-10-12 09:00:00 +00:00
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
2018-10-12 09:00:00 +00:00
}
],
"uuid": "198db886-47af-4f4c-bff5-11b891f85946",
"value": "Zeus Panda - S0330"
2017-10-26 08:28:53 +00:00
},
{
"description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) (Remote Access Trojan) is a family of malicious Android apps. The [SpyNote RAT](https://attack.mitre.org/software/S0305) builder tool can be used to develop malicious apps with the malware's functionality. (Citation: Zscaler-SpyNote)",
2017-10-26 08:28:53 +00:00
"meta": {
"external_id": "S0305",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0305",
"https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
2017-10-26 08:28:53 +00:00
],
"synonyms": [
"SpyNote RAT"
]
2017-10-26 08:28:53 +00:00
},
"related": [
{
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"value": "SpyNote RAT - S0305"
},
{
"description": "[3PARA RAT](https://attack.mitre.org/software/S0066) is a remote access tool (RAT) programmed in C++ that has been used by [Putter Panda](https://attack.mitre.org/groups/G0024). (Citation: CrowdStrike Putter Panda)",
"meta": {
"external_id": "S0066",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0066",
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"
],
"synonyms": [
"3PARA RAT"
]
},
"related": [
2018-10-12 09:00:00 +00:00
{
"dest-uuid": "59fb0222-0e7d-4f5f-92ac-e68012fb927d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
2018-10-12 09:00:00 +00:00
{
"dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
2018-10-12 09:00:00 +00:00
}
],
"uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a",
"value": "3PARA RAT - S0066"
2017-10-26 08:28:53 +00:00
},
{
"description": "[4H RAT](https://attack.mitre.org/software/S0065) is malware that has been used by [Putter Panda](https://attack.mitre.org/groups/G0024) since at least 2007. (Citation: CrowdStrike Putter Panda)",
2017-10-26 08:28:53 +00:00
"meta": {
"external_id": "S0065",
"mitre_platforms": [
"Windows"
],
2017-10-26 08:28:53 +00:00
"refs": [
"https://attack.mitre.org/software/S0065",
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"
2017-10-26 08:28:53 +00:00
],
"synonyms": [
"4H RAT"
]
2017-10-26 08:28:53 +00:00
},
"related": [
{
"dest-uuid": "d8aad68d-a68f-42e1-b755-d5f383b73401",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc",
"value": "4H RAT - S0065"
2017-10-26 08:28:53 +00:00
},
{
"description": "[Net Crawler](https://attack.mitre.org/software/S0056) is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using [PsExec](https://attack.mitre.org/software/S0029) to execute a copy of [Net Crawler](https://attack.mitre.org/software/S0056). (Citation: Cylance Cleaver)",
2017-10-26 08:28:53 +00:00
"meta": {
"external_id": "S0056",
"mitre_platforms": [
"Windows"
],
2017-10-26 08:28:53 +00:00
"refs": [
"https://attack.mitre.org/software/S0056",
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf"
2017-10-26 08:28:53 +00:00
],
"synonyms": [
"Net Crawler",
"NetC"
]
2017-10-26 08:28:53 +00:00
},
"related": [
{
"dest-uuid": "0bc03bfa-1439-4162-bb33-ec9f8f952ee5",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704",
"value": "Net Crawler - S0056"
},
{
"description": "[AutoIt backdoor](https://attack.mitre.org/software/S0129) is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. (Citation: Forcepoint Monsoon) This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.",
"meta": {
"external_id": "S0129",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0129",
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
],
"synonyms": [
"AutoIt backdoor"
]
},
"related": [
{
"dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300",
"value": "AutoIt backdoor - S0129"
},
{
"description": "[Agent Tesla](https://attack.mitre.org/software/S0331) is a spyware Trojan written in visual basic.(Citation: Fortinet Agent Tesla April 2018)",
"meta": {
"external_id": "S0331",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0331",
"https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html",
"https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html",
"https://www.digitrustgroup.com/agent-tesla-keylogger/"
],
"synonyms": [
"Agent Tesla"
]
},
"related": [
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
"value": "Agent Tesla - S0331"
2017-10-26 08:28:53 +00:00
},
{
"description": "[Power Loader](https://attack.mitre.org/software/S0177) is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)",
2017-10-26 08:28:53 +00:00
"meta": {
"external_id": "S0177",
"mitre_platforms": [
"Windows"
],
2017-10-26 08:28:53 +00:00
"refs": [
"https://attack.mitre.org/software/S0177",
"https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html",
"https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/"
],
"synonyms": [
"Power Loader",
"Win32/Agent.UAW"
]
},
"related": [
{
"dest-uuid": "52f3d5a6-8a0f-4f82-977e-750abf90d0b0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3",
"value": "Power Loader - S0177"
},
{
"description": "[Brave Prince](https://attack.mitre.org/software/S0252) is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to [Gold Dragon](https://attack.mitre.org/software/S0249), and was seen along with [Gold Dragon](https://attack.mitre.org/software/S0249) and [RunningRAT](https://attack.mitre.org/software/S0253) in operations surrounding the 2018 Pyeongchang Winter Olympics. (Citation: McAfee Gold Dragon)",
"meta": {
"external_id": "S0252",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0252",
"https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
2017-10-26 08:28:53 +00:00
],
"synonyms": [
"Brave Prince"
]
2017-10-26 08:28:53 +00:00
},
"related": [
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
2018-10-12 09:00:00 +00:00
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "28b97733-ef07-4414-aaa5-df50b2d30cc5",
"value": "Brave Prince - S0252"
},
{
"description": "[Smoke Loader](https://attack.mitre.org/software/S0226) is a malicious bot application that can be used to load other malware.\n[Smoke Loader](https://attack.mitre.org/software/S0226) has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. (Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018)",
"meta": {
"external_id": "S0226",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0226",
"https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/",
"https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/"
],
"synonyms": [
"Smoke Loader",
"Dofoil"
]
},
"related": [
{
"dest-uuid": "81f41bae-2ba9-4cec-9613-776be71645ca",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "ba91d713-c36e-4d98-9fb7-e16496a69eec",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "0c824410-58ff-49b2-9cf2-1c96b182bdf0",
"value": "Smoke Loader - S0226"
2017-10-26 08:28:53 +00:00
},
{
"description": "[Linux Rabbit](https://attack.mitre.org/software/S0362) is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.(Citation: Anomali Linux Rabbit 2018)\n",
2017-10-26 08:28:53 +00:00
"meta": {
"external_id": "S0362",
"mitre_platforms": [
"Linux"
],
2017-10-26 08:28:53 +00:00
"refs": [
"https://attack.mitre.org/software/S0362",
"https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"
2017-10-26 08:28:53 +00:00
],
"synonyms": [
"Linux Rabbit"
]
2017-10-26 08:28:53 +00:00
},
"related": [
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01df3350-ce05-4bdf-bdf8-0a919a66d4a8",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "0efefea5-78da-4022-92bc-d726139e8883",
"value": "Linux Rabbit - S0362"
},
{
"description": "[LockerGoga ](https://attack.mitre.org/software/S0372) is ransomware that has been tied to various attacks on European companies. It was first reported upon in January 2019.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)",
"meta": {
"external_id": "S0372",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0372",
"https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/",
"https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/"
],
"synonyms": [
"LockerGoga "
]
2017-10-26 08:28:53 +00:00
},
"related": [
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "5af7a825-2d9f-400d-931a-e00eb9e27f48",
"value": "LockerGoga - S0372"
2017-10-26 08:28:53 +00:00
},
{
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as [Tangelo](https://attack.mitre.org/software/S0329) is believed to be from the same developer. (Citation: Lookout-StealthMango)",
2017-10-26 08:28:53 +00:00
"meta": {
"external_id": "S0328",
"mitre_platforms": [
"Android"
],
2017-10-26 08:28:53 +00:00
"refs": [
"https://attack.mitre.org/software/S0328",
"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
2017-10-26 08:28:53 +00:00
],
"synonyms": [
"Stealth Mango"
]
},
"related": [
{
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62adb627-f647-498e-b4cc-41499361bacb",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "085eb36d-697d-4d9a-bac3-96eb879fe73c",
"value": "Stealth Mango - S0328"
},
{
"description": "[Gold Dragon](https://attack.mitre.org/software/S0249) is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. [Gold Dragon](https://attack.mitre.org/software/S0249) was used along with [Brave Prince](https://attack.mitre.org/software/S0252) and [RunningRAT](https://attack.mitre.org/software/S0253) in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. (Citation: McAfee Gold Dragon)",
"meta": {
"external_id": "S0249",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0249",
"https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
],
"synonyms": [
"Gold Dragon"
]
2017-10-26 08:28:53 +00:00
},
2018-10-12 09:00:00 +00:00
"related": [
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b9799466-9dd7-4098-b2d6-f999ce50b9a8",
"value": "Gold Dragon - S0249"
},
{
"description": "[Cobian RAT](https://attack.mitre.org/software/S0338) is a backdoor, remote access tool that has been observed since 2016.(Citation: Zscaler Cobian Aug 2017)",
"meta": {
"external_id": "S0338",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0338",
"https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat"
],
"synonyms": [
"Cobian RAT"
]
},
"related": [
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "aa1462a1-d065-416c-b354-bedd04998c7f",
"value": "Cobian RAT - S0338"
},
{
"description": "[Cardinal RAT](https://attack.mitre.org/software/S0348) is a potentially low volume remote access trojan (RAT) observed since December 2015. [Cardinal RAT](https://attack.mitre.org/software/S0348) is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.(Citation: PaloAlto CardinalRat Apr 2017)",
"meta": {
"external_id": "S0348",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0348",
"https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/"
],
"synonyms": [
"Cardinal RAT"
]
},
"related": [
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cf7b3a06-8b42-4c33-bbe9-012120027925",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b879758f-bbc4-4cab-b5ba-177ac9b009b4",
"value": "Cardinal RAT - S0348"
},
{
"description": "[Olympic Destroyer](https://attack.mitre.org/software/S0365) is malware that was first seen infecting computer systems at the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware appears to be to cause destructive impact to the affected systems. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. The malware has worm-like features to spread itself across a computer network in order to maximize its destructive impact.(Citation: Talos Olympic Destroyer 2018) ",
"meta": {
"external_id": "S0365",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0365",
"https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"
],
"synonyms": [
"Olympic Destroyer"
]
},
"related": [
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "3249e92a-870b-426d-8790-ba311c1abfb4",
"value": "Olympic Destroyer - S0365"
},
{
"description": "[Ursnif ](https://attack.mitre.org/software/S0386) is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193)s, and malicious links.(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016) [Ursnif ](https://attack.mitre.org/software/S0386) is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.(Citation: TrendMicro Ursnif Mar 2015)",
"meta": {
"external_id": "S0386",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0386",
"https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif",
"https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality",
"https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992",
"https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html"
],
"synonyms": [
"Ursnif ",
"Gozi-ISFB",
"PE_URSNIF",
"Dreambot"
]
},
"related": [
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "54456690-84de-4538-9101-643e26437e09",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "1492d0f8-7e14-4af3-9239-bc3fe10d3407",
"value": "Ursnif - S0386"
},
{
"description": "[Revenge RAT](https://attack.mitre.org/software/S0379) is a freely available remote access tool written in .NET (C#).(Citation: Cylance Shaheen Nov 2018)(Citation: Cofense RevengeRAT Feb 2019)",
"meta": {
"external_id": "S0379",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0379",
"https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517",
"https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/"
],
"synonyms": [
"Revenge RAT"
]
},
"related": [
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "bdb27a1d-1844-42f1-a0c0-826027ae0326",
"value": "Revenge RAT - S0379"
},
{
"description": "[HyperBro ](https://attack.mitre.org/software/S0398) is a custom in-memory backdoor used by [Threat Group-3390](https://attack.mitre.org/groups/G0027).(Citation: Unit42 Emissary Panda May 2019)(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)",
"meta": {
"external_id": "S0398",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0398",
"https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/",
"https://securelist.com/luckymouse-hits-national-data-center/86083/",
"https://thehackernews.com/2018/06/chinese-watering-hole-attack.html"
],
"synonyms": [
"HyperBro "
]
},
"related": [
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "5e814485-012d-423d-b769-026bfed0f451",
"value": "HyperBro - S0398"
},
{
"description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) is Android malware. (Citation: Kaspersky-MobileMalware)",
"meta": {
"external_id": "S0306",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0306",
"https://securelist.com/mobile-malware-evolution-2013/58335/"
],
"synonyms": [
"Trojan-SMS.AndroidOS.FakeInst.a"
]
},
"related": [
{
"dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "28e39395-91e7-4f02-b694-5e079c964da9",
"value": "Trojan-SMS.AndroidOS.FakeInst.a - S0306"
},
{
"description": "[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) is Android malware. (Citation: Kaspersky-MobileMalware)",
"meta": {
"external_id": "S0307",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0307",
"https://securelist.com/mobile-malware-evolution-2013/58335/"
],
"synonyms": [
"Trojan-SMS.AndroidOS.Agent.ao"
]
},
"related": [
{
"dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "a1867c56-8c86-455a-96ad-b0d5f7e2bc17",
"value": "Trojan-SMS.AndroidOS.Agent.ao - S0307"
},
{
"description": "[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) is Android malware. (Citation: Kaspersky-MobileMalware)",
"meta": {
"external_id": "S0308",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0308",
"https://securelist.com/mobile-malware-evolution-2013/58335/"
],
"synonyms": [
"Trojan-SMS.AndroidOS.OpFake.a"
]
},
"related": [
{
"dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "d89c132d-7752-4c7f-9372-954a71522985",
"value": "Trojan-SMS.AndroidOS.OpFake.a - S0308"
},
{
"description": "[Mis-Type](https://attack.mitre.org/software/S0084) is a backdoor hybrid that was used by [Dust Storm](https://attack.mitre.org/groups/G0031) in 2012. (Citation: Cylance Dust Storm)",
"meta": {
"external_id": "S0084",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0084",
"https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf"
],
"synonyms": [
"Mis-Type"
]
},
"related": [
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61",
"value": "Mis-Type - S0084"
},
{
"description": "[S-Type](https://attack.mitre.org/software/S0085) is a backdoor that was used by [Dust Storm](https://attack.mitre.org/groups/G0031) from 2013 to 2014. (Citation: Cylance Dust Storm)",
"meta": {
"external_id": "S0085",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0085",
"https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf"
],
"synonyms": [
"S-Type"
]
},
"related": [
{
"dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131",
"value": "S-Type - S0085"
},
{
"description": "[Hi-Zor](https://attack.mitre.org/software/S0087) is a remote access tool (RAT) that has characteristics similar to [Sakula](https://attack.mitre.org/software/S0074). It was used in a campaign named INOCNATION. (Citation: Fidelis Hi-Zor)",
"meta": {
"external_id": "S0087",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0087",
"http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html"
],
"synonyms": [
"Hi-Zor"
]
},
"related": [
{
"dest-uuid": "d22a3e65-75e5-4970-b424-bdc06ec33dba",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc",
"value": "Hi-Zor - S0087"
},
{
"description": "[Miner-C](https://attack.mitre.org/software/S0133) is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread. (Citation: Softpedia MinerC)",
"meta": {
"external_id": "S0133",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0133",
"http://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml"
],
"synonyms": [
"Miner-C",
"Mal/Miner-C",
"PhotoMiner"
]
},
"related": [
{
"dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "17dec760-9c8f-4f1b-9b4b-0ac47a453234",
"value": "Miner-C - S0133"
},
{
"description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) is Android malware that was delivered to activist groups via a spearphishing email with an attachment. (Citation: Kaspersky-WUC)",
"meta": {
"external_id": "S0304",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0304",
"https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"
],
"synonyms": [
"Android/Chuli.A"
]
},
"related": [
{
"dest-uuid": "1f96d624-8409-4472-ad8a-30618ee6b2e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "89fcd02f-62dc-40b9-a54b-9ac4b1baef05",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533",
"value": "Android/Chuli.A - S0304"
},
{
"description": "[Trojan.Mebromi](https://attack.mitre.org/software/S0001) is BIOS-level malware that takes control of the victim before MBR. (Citation: Ge 2011)",
"meta": {
"external_id": "S0001",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0001",
"http://www.symantec.com/connect/blogs/bios-threat-showing-again"
],
"synonyms": [
"Trojan.Mebromi"
]
},
"related": [
{
"dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c5e9cb46-aced-466c-85ea-7db5572ad9ec",
"value": "Trojan.Mebromi - S0001"
},
{
"description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) is Android malware that is unique because it uses encrypted content within a blog site for command and control. (Citation: TrendMicro-Anserver)",
"meta": {
"external_id": "S0310",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0310",
"http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/"
],
"synonyms": [
"ANDROIDOS_ANSERVER.A"
]
},
"related": [
{
"dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "89fcd02f-62dc-40b9-a54b-9ac4b1baef05",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c6a146ae-9c63-4606-97ff-e261e76e8380",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "4bf6ba32-4165-42c1-b911-9c36165891c8",
"value": "ANDROIDOS_ANSERVER.A - S0310"
},
{
"description": "[Agent.btz](https://attack.mitre.org/software/S0092) is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. (Citation: Securelist Agent.btz)",
"meta": {
"external_id": "S0092",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0092",
"https://securelist.com/agent-btz-a-source-of-inspiration/58551/"
],
"synonyms": [
"Agent.btz"
]
},
"related": [
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6415f09-df0e-48de-9aba-928c902b7549",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39",
"value": "Agent.btz - S0092"
},
{
"description": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) is a backdoor used by [Dragonfly](https://attack.mitre.org/groups/G0035). It appears to be custom malware authored by the group or specifically for it. (Citation: Symantec Dragonfly)",
"meta": {
"external_id": "S0093",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0093",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf"
],
"synonyms": [
"Backdoor.Oldrea",
"Havex"
]
},
"related": [
{
"dest-uuid": "d7183f66-59ec-4803-be20-237b442259fc",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "083bb47b-02c8-4423-81a2-f9ef58572974",
"value": "Backdoor.Oldrea - S0093"
},
{
"description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) is a backdoor primarily used for recon. The source code for it was leaked in 2010 and it is sold on underground forums. (Citation: Symantec Dragonfly)",
"meta": {
"external_id": "S0094",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0094",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf"
],
"synonyms": [
"Trojan.Karagany"
]
},
"related": [
{
"dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d",
"value": "Trojan.Karagany - S0094"
},
{
"description": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a MacOS backdoor that has been used by [APT32](https://attack.mitre.org/groups/G0050).(Citation: TrendMicro MacOS April 2018)",
"meta": {
"external_id": "S0352",
"mitre_platforms": [
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0352",
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/"
],
"synonyms": [
"OSX_OCEANLOTUS.D"
]
},
"related": [
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e99ec083-abdd-48de-ad87-4dbf6f8ba2a4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dd901512-6e37-4155-943b-453e3777b125",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29",
"value": "OSX_OCEANLOTUS.D - S0352"
},
{
"description": "[T9000](https://attack.mitre.org/software/S0098) is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. (Citation: FireEye admin@338 March 2014) (Citation: Palo Alto T9000 Feb 2016)",
"meta": {
"external_id": "S0098",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0098",
"https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html",
"http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/"
],
"synonyms": [
"T9000"
]
},
"related": [
{
"dest-uuid": "66575fb4-7f92-42d8-8c47-e68a26413081",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3",
"value": "T9000 - S0098"
},
{
"description": "[BS2005](https://attack.mitre.org/software/S0014) is malware that was used by [Ke3chang](https://attack.mitre.org/groups/G0004) in spearphishing campaigns since at least 2011. (Citation: Villeneuve et al 2014)",
"meta": {
"external_id": "S0014",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0014",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf"
],
"synonyms": [
"BS2005"
]
},
"related": [
{
"dest-uuid": "25cd01bc-1346-4415-8f8d-d3656309ef6b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "35e00ff0-704e-4e61-b9bb-9ed20a4a008f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "67fc172a-36fa-4a35-88eb-4ba730ed52a6",
"value": "BS2005 - S0014"
},
{
"description": "[Sys10](https://attack.mitre.org/software/S0060) is a backdoor that was used throughout 2013 by [Naikon](https://attack.mitre.org/groups/G0019). (Citation: Baumgartner Naikon 2015)",
"meta": {
"external_id": "S0060",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0060",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf"
],
"synonyms": [
"Sys10"
]
},
"related": [
{
"dest-uuid": "2ae57534-6aac-4025-8d93-888dab112b45",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "7f8730af-f683-423f-9ee1-5f6875a80481",
"value": "Sys10 - S0060"
},
{
"description": "[Lurid](https://attack.mitre.org/software/S0010) is a malware family that has been used by several groups, including [PittyTiger](https://attack.mitre.org/groups/G0011), in targeted attacks as far back as 2006. (Citation: Villeneuve 2014) (Citation: Villeneuve 2011)",
"meta": {
"external_id": "S0010",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0010",
"https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html",
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_dissecting-lurid-apt.pdf"
],
"synonyms": [
"Lurid",
"Enfal"
]
},
"related": [
{
"dest-uuid": "2a4cacb7-80a1-417e-8b9c-54b4089f35d9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad",
"value": "Lurid - S0010"
},
{
"description": "[Dipsind](https://attack.mitre.org/software/S0200) is a malware family of backdoors that appear to be used exclusively by [PLATINUM](https://attack.mitre.org/groups/G0068). (Citation: Microsoft PLATINUM April 2016)",
"meta": {
"external_id": "S0200",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0200",
"https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf"
],
"synonyms": [
"Dipsind"
]
},
"related": [
{
"dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "e170995d-4f61-4f17-b60e-04f9a06ee517",
"value": "Dipsind - S0200"
},
{
"description": "[DressCode](https://attack.mitre.org/software/S0300) is an Android malware family. (Citation: TrendMicro-DressCode)",
"meta": {
"external_id": "S0300",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0300",
"http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/"
],
"synonyms": [
"DressCode"
]
},
"related": [
{
"dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "ff742eeb-1f90-4f5a-8b92-9d40fffd99ca",
"value": "DressCode - S0300"
},
{
"description": "[Carbanak](https://attack.mitre.org/software/S0030) is a full-featured, remote backdoor used by a group of the same name ([Carbanak](https://attack.mitre.org/groups/G0008)). It is intended for espionage, data exfiltration, and providing remote access to infected machines. (Citation: Kaspersky Carbanak) (Citation: FireEye CARBANAK June 2017)",
"meta": {
"external_id": "S0030",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0030",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf",
"https://www.fox-it.com/en/about-fox-it/corporate/news/anunak-aka-carbanak-update/",
"https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html"
],
"synonyms": [
"Carbanak",
"Anunak"
]
},
"related": [
{
"dest-uuid": "8c246ec4-eaa5-42c0-b137-29f28cbb6832",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4",
"value": "Carbanak - S0030"
},
{
"description": "[RIPTIDE](https://attack.mitre.org/software/S0003) is a proxy-aware backdoor used by [APT12](https://attack.mitre.org/groups/G0005). (Citation: Moran 2014)",
"meta": {
"external_id": "S0003",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0003",
"https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html"
],
"synonyms": [
"RIPTIDE"
]
},
"related": [
{
"dest-uuid": "91583583-95c0-444e-8175-483cbebc640b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e",
"value": "RIPTIDE - S0003"
},
{
"description": "[TinyZBot](https://attack.mitre.org/software/S0004) is a bot written in C# that was developed by [Cleaver](https://attack.mitre.org/groups/G0003). (Citation: Cylance Cleaver)",
"meta": {
"external_id": "S0004",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0004",
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf"
],
"synonyms": [
"TinyZBot"
]
},
"related": [
{
"dest-uuid": "e2cc27a2-4146-4f08-8e80-114a99204cea",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9",
"value": "TinyZBot - S0004"
},
{
"description": "[CosmicDuke](https://attack.mitre.org/software/S0050) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2010 to 2015. (Citation: F-Secure The Dukes)",
"meta": {
"external_id": "S0050",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0050",
"https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf"
],
"synonyms": [
"CosmicDuke",
"TinyBaron",
"BotgenStudios",
"NemesisGemina"
]
},
"related": [
{
"dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee",
"value": "CosmicDuke - S0050"
},
{
"description": "[HTTPBrowser](https://attack.mitre.org/software/S0070) is malware that has been used by several threat groups. (Citation: ThreatStream Evasion Analysis) (Citation: Dell TG-3390) It is believed to be of Chinese origin. (Citation: ThreatConnect Anthem)",
"meta": {
"external_id": "S0070",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0070",
"https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage",
"https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/",
"https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop"
],
"synonyms": [
"HTTPBrowser",
"Token Control",
"HttpDump"
]
},
"related": [
{
"dest-uuid": "08e2c9ef-aa62-429f-a6e5-e901ff6883cd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "46944654-fcc1-4f63-9dad-628102376586",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360",
"value": "HTTPBrowser - S0070"
},
{
"description": "[Mivast](https://attack.mitre.org/software/S0080) is a backdoor that has been used by [Deep Panda](https://attack.mitre.org/groups/G0009). It was reportedly used in the Anthem breach. (Citation: Symantec Black Vine)",
"meta": {
"external_id": "S0080",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0080",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf",
"http://www.symantec.com/security_response/writeup.jsp?docid=2015-020623-0740-99&tabid=2"
],
"synonyms": [
"Mivast"
]
},
"related": [
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3",
"value": "Mivast - S0080"
},
{
"description": "[Hikit](https://attack.mitre.org/software/S0009) is malware that has been used by [Axiom](https://attack.mitre.org/groups/G0001) for late-stage persistence and exfiltration after the initial compromise. (Citation: Novetta-Axiom)",
"meta": {
"external_id": "S0009",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0009",
"http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf"
],
"synonyms": [
"Hikit"
]
},
"related": [
{
"dest-uuid": "06953055-92ed-4936-8ffd-d9d72ab6bef6",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "95047f03-4811-4300-922e-1ba937d53a61",
"value": "Hikit - S0009"
},
{
"description": "[Rover](https://attack.mitre.org/software/S0090) is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. (Citation: Palo Alto Rover)",
"meta": {
"external_id": "S0090",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0090",
"http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/"
],
"synonyms": [
"Rover"
]
},
"related": [
{
"dest-uuid": "53e94bc9-c8d2-4fb6-9c02-00841e454050",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38",
"value": "Rover - S0090"
},
{
"description": "[Taidoor](https://attack.mitre.org/software/S0011) is malware that has been used since at least 2010, primarily to target Taiwanese government organizations. (Citation: TrendMicro Taidoor)",
"meta": {
"external_id": "S0011",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0011",
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf"
],
"synonyms": [
"Taidoor"
]
},
"related": [
{
"dest-uuid": "cda7d605-23d0-4f93-a585-1276f094c04a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b143dfa4-e944-43ff-8429-bfffc308c517",
"value": "Taidoor - S0011"
},
{
"description": "[WEBC2](https://attack.mitre.org/software/S0109) is a backdoor used by [APT1](https://attack.mitre.org/groups/G0006) to retrieve a Web page from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1)",
"meta": {
"external_id": "S0109",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0109",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"synonyms": [
"WEBC2"
]
},
"related": [
{
"dest-uuid": "b5be84b7-bf2c-40d0-85a9-14c040881a98",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "46944654-fcc1-4f63-9dad-628102376586",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "1d808f62-cf63-4063-9727-ff6132514c22",
"value": "WEBC2 - S0109"
},
{
"description": "[Derusbi](https://attack.mitre.org/software/S0021) is malware used by multiple Chinese APT groups. (Citation: Novetta-Axiom) (Citation: ThreatConnect Anthem) Both Windows and Linux variants have been observed. (Citation: Fidelis Turbo)",
"meta": {
"external_id": "S0021",
"mitre_platforms": [
"Windows",
"Linux"
],
"refs": [
"https://attack.mitre.org/software/S0021",
"http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf",
"https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/",
"https://www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602_0.pdf",
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"
],
"synonyms": [
"Derusbi",
"PHOTO"
]
},
"related": [
{
"dest-uuid": "eff68b97-f36e-4827-ab1a-90523c16774c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7ea00126-add3-407e-b69d-d4aa1b3049d5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "94379dec-5c87-49db-b36e-66abc0b81344",
"value": "Derusbi - S0021"
},
{
"description": "[JPIN](https://attack.mitre.org/software/S0201) is a custom-built backdoor family used by [PLATINUM](https://attack.mitre.org/groups/G0068). Evidence suggests developers of [JPIN](https://attack.mitre.org/software/S0201) and [Dipsind](https://attack.mitre.org/software/S0200) code bases were related in some way. (Citation: Microsoft PLATINUM April 2016)",
"meta": {
"external_id": "S0201",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0201",
"https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf"
],
"synonyms": [
"JPIN"
]
},
"related": [
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "65917ae0-b854-4139-83fe-bf2441cf0196",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "de6cb631-52f6-4169-a73b-7965390b0c30",
"value": "JPIN - S0201"
},
{
"description": "[PoisonIvy](https://attack.mitre.org/software/S0012) is a popular remote access tool (RAT) that has been used by many groups. (Citation: FireEye Poison Ivy) (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Darkmoon Aug 2005)",
"meta": {
"external_id": "S0012",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0012",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
"https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99",
"https://www.symantec.com/connect/blogs/life-mars-how-attackers-took-advantage-hope-alien-existance-new-darkmoon-campaign"
],
"synonyms": [
"PoisonIvy",
"Poison Ivy",
"Darkmoon"
]
},
"related": [
{
"dest-uuid": "4e104fef-8a2c-4679-b497-6e86d7d47db0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b42378e0-f147-496f-992a-26a49705395b",
"value": "PoisonIvy - S0012"
},
{
"description": "[Nerex](https://attack.mitre.org/software/S0210) is a Trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Nerex May 2012)",
"meta": {
"external_id": "S0210",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0210",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
"https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-3445-99"
],
"synonyms": [
"Nerex"
]
},
"related": [
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c251e4a5-9a2e-4166-8e42-442af75c3b9a",
"value": "Nerex - S0210"
},
{
"description": "[BACKSPACE](https://attack.mitre.org/software/S0031) is a backdoor used by [APT30](https://attack.mitre.org/groups/G0013) that dates back to at least 2005. (Citation: FireEye APT30)",
"meta": {
"external_id": "S0031",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0031",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
],
"synonyms": [
"BACKSPACE",
"Lecna"
]
},
"related": [
{
"dest-uuid": "cd6c5f27-cf7e-4529-ae9c-ab5b85102bde",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "fb261c56-b80e-43a9-8351-c84081e7213d",
"value": "BACKSPACE - S0031"
},
{
"description": "[Dendroid](https://attack.mitre.org/software/S0301) is an Android malware family. (Citation: Lookout-Dendroid)",
"meta": {
"external_id": "S0301",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0301",
"https://blog.lookout.com/blog/2014/03/06/dendroid/"
],
"synonyms": [
"Dendroid"
]
},
"related": [
{
"dest-uuid": "ea3a8c25-4adb-4538-bf11-55259bdba15f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "317a2c10-d489-431e-b6b2-f0251fddc88e",
"value": "Dendroid - S0301"
},
{
"description": "[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) that uses modular plugins. It has been used by multiple threat groups. (Citation: Lastline PlugX Analysis) (Citation: FireEye Clandestine Fox Part 2) (Citation: New DragonOK) (Citation: Dell TG-3390)",
"meta": {
"external_id": "S0013",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0013",
"http://labs.lastline.com/an-analysis-of-plugx",
"https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html",
"http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/",
"https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage",
"http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf"
],
"synonyms": [
"PlugX",
"DestroyRAT",
"Sogu",
"Kaba",
"Korplug"
]
},
"related": [
{
"dest-uuid": "663f8ef9-4c50-499a-b765-f377d23c1070",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f4b159ea-97e5-483b-854b-c48a78d562aa",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "036bd099-fe80-46c2-9c4c-e5c6df8dcdee",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd",
"value": "PlugX - S0013"
},
{
"description": "[Shamoon](https://attack.mitre.org/software/S0140) is wiper malware that was first used by an Iranian group known as the \"Cutting Sword of Justice\" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. [Shamoon](https://attack.mitre.org/software/S0140) has also been seen leveraging [RawDisk](https://attack.mitre.org/software/S0364) to carry out data wiping tasks. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)",
"meta": {
"external_id": "S0140",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0140",
"http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/",
"https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/",
"https://www.symantec.com/connect/blogs/shamoon-attacks",
"https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html"
],
"synonyms": [
"Shamoon",
"Disttrack"
]
},
"related": [
{
"dest-uuid": "776b1849-8d5b-4762-8ba1-cbbaddb4ce3a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"value": "Shamoon - S0140"
},
{
"description": "[Wiper](https://attack.mitre.org/software/S0041) is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies. (Citation: Dell Wiper)",
"meta": {
"external_id": "S0041",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0041",
"http://www.secureworks.com/cyber-threat-intelligence/threats/wiper-malware-analysis-attacking-korean-financial-sector/"
],
"synonyms": [
"Wiper"
]
},
"related": [
{
"dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "a19c49aa-36fe-4c05-b817-23e1c7a7d085",
"value": "Wiper - S0041"
},
{
"description": "[MiniDuke](https://attack.mitre.org/software/S0051) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2010 to 2015. The [MiniDuke](https://attack.mitre.org/software/S0051) toolset consists of multiple downloader and backdoor components. The loader has been used with other [MiniDuke](https://attack.mitre.org/software/S0051) components as well as in conjunction with [CosmicDuke](https://attack.mitre.org/software/S0050) and [PinchDuke](https://attack.mitre.org/software/S0048). (Citation: F-Secure The Dukes)",
"meta": {
"external_id": "S0051",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0051",
"https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf"
],
"synonyms": [
"MiniDuke"
]
},
"related": [
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c",
"value": "MiniDuke - S0051"
},
{
"description": "[POSHSPY](https://attack.mitre.org/software/S0150) is a backdoor that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. (Citation: FireEye POSHSPY April 2017)",
"meta": {
"external_id": "S0150",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0150",
"https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html"
],
"synonyms": [
"POSHSPY"
]
},
"related": [
{
"dest-uuid": "6e45f758-7bd9-44b8-a21c-7309614ae176",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "4df1b257-c242-46b0-b120-591430066b6f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "54456690-84de-4538-9101-643e26437e09",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808",
"value": "POSHSPY - S0150"
},
{
"description": "[Ixeshe](https://attack.mitre.org/software/S0015) is a malware family that has been used since at least 2009 against targets in East Asia. (Citation: Moran 2013)",
"meta": {
"external_id": "S0015",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0015",
"https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html"
],
"synonyms": [
"Ixeshe"
]
},
"related": [
{
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06",
"value": "Ixeshe - S0015"
},
{
"description": "[HDoor](https://attack.mitre.org/software/S0061) is malware that has been customized and used by the [Naikon](https://attack.mitre.org/groups/G0019) group. (Citation: Baumgartner Naikon 2015)",
"meta": {
"external_id": "S0061",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0061",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf"
],
"synonyms": [
"HDoor",
"Custom HDoor"
]
},
"related": [
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b",
"value": "HDoor - S0061"
},
{
"description": "[BISCUIT](https://attack.mitre.org/software/S0017) is a backdoor that has been used by [APT1](https://attack.mitre.org/groups/G0006) since as early as 2007. (Citation: Mandiant APT1)",
"meta": {
"external_id": "S0017",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0017",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip"
],
"synonyms": [
"BISCUIT"
]
},
"related": [
{
"dest-uuid": "f1e05a12-ca50-41ab-a963-d7df5bcb141d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda",
"value": "BISCUIT - S0017"
},
{
"description": "[Helminth](https://attack.mitre.org/software/S0170) is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable. (Citation: Palo Alto OilRig May 2016)",
"meta": {
"external_id": "S0170",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0170",
"http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"
],
"synonyms": [
"Helminth"
]
},
"related": [
{
"dest-uuid": "19d89300-ff97-4281-ac42-76542e744092",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e",
"value": "Helminth - S0170"
},
{
"description": "[hcdLoader](https://attack.mitre.org/software/S0071) is a remote access tool (RAT) that has been used by [APT18](https://attack.mitre.org/groups/G0026). (Citation: Dell Lateral Movement)",
"meta": {
"external_id": "S0071",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0071",
"http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/"
],
"synonyms": [
"hcdLoader"
]
},
"related": [
{
"dest-uuid": "12bb8f4f-af29-49a0-8c2c-d28468f28fd8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e",
"value": "hcdLoader - S0071"
},
{
"description": "[Elise](https://attack.mitre.org/software/S0081) is a custom backdoor Trojan that appears to be used exclusively by [Lotus Blossom](https://attack.mitre.org/groups/G0030). It is part of a larger group of\ntools referred to as LStudio, ST Group, and APT0LSTU. (Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018)",
"meta": {
"external_id": "S0081",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0081",
"https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html",
"https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf"
],
"synonyms": [
"Elise",
"BKDR_ESILE",
"Page"
]
},
"related": [
{
"dest-uuid": "d70fd29d-590e-4ed5-b72f-6ce0142019c6",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3477a25d-e04b-475e-8330-39f66c10cc01",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913",
"value": "Elise - S0081"
},
{
"description": "[Sykipot](https://attack.mitre.org/software/S0018) is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of [Sykipot](https://attack.mitre.org/software/S0018) hijacks smart cards on victims. (Citation: Alienvault Sykipot DOD Smart Cards) The group using this malware has also been referred to as Sykipot. (Citation: Blasco 2013)",
"meta": {
"external_id": "S0018",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0018",
"http://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments",
"https://www.alienvault.com/open-threat-exchange/blog/sykipot-variant-hijacks-dod-and-windows-smart-cards"
],
"synonyms": [
"Sykipot"
]
},
"related": [
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9",
"value": "Sykipot - S0018"
},
{
"description": "[Volgmer](https://attack.mitre.org/software/S0180) is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. (Citation: US-CERT Volgmer Nov 2017)",
"meta": {
"external_id": "S0180",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0180",
"https://www.us-cert.gov/ncas/alerts/TA17-318B",
"https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF",
"https://www.symantec.com/security-center/writeup/2014-081811-3237-99?tabid=2"
],
"synonyms": [
"Volgmer"
]
},
"related": [
{
"dest-uuid": "0a52e73b-d7e9-45ae-9bda-46568f753931",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08",
"value": "Volgmer - S0180"
},
{
"description": "[Epic](https://attack.mitre.org/software/S0091) is a backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010). (Citation: Kaspersky Turla)",
"meta": {
"external_id": "S0091",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0091",
"https://securelist.com/the-epic-turla-operation/65545/"
],
"synonyms": [
"Epic",
"Tavdig",
"Wipbot",
"WorldCupSec",
"TadjMakhal"
]
},
"related": [
{
"dest-uuid": "36c0faf0-428e-4e7f-93c5-824bb0495ac9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "6b6cf608-cc2c-40d7-8500-afca3e35e7e4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "52f3d5a6-8a0f-4f82-977e-750abf90d0b0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "6b62e336-176f-417b-856a-8552dd8c44e1",
"value": "Epic - S0091"
},
{
"description": "[Regin](https://attack.mitre.org/software/S0019) is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some [Regin](https://attack.mitre.org/software/S0019) timestamps date back to 2003. (Citation: Kaspersky Regin)",
"meta": {
"external_id": "S0019",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0019",
"https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
],
"synonyms": [
"Regin"
]
},
"related": [
{
"dest-uuid": "0cf21558-1217-4d36-9536-2919cfd44825",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "4cbe9373-6b5e-42d0-9750-e0b7fc0d58bb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0",
"value": "Regin - S0019"
},
{
"description": "[Chaos](https://attack.mitre.org/software/S0220) is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets. (Citation: Chaos Stolen Backdoor)",
"meta": {
"external_id": "S0220",
"mitre_platforms": [
"Linux"
],
"refs": [
"https://attack.mitre.org/software/S0220",
"http://gosecure.net/2018/02/14/chaos-stolen-backdoor-rising/"
],
"synonyms": [
"Chaos"
]
},
"related": [
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "5bcd5511-6756-4824-a692-e8bb109364af",
"value": "Chaos - S0220"
},
{
"description": "[Uroburos](https://attack.mitre.org/software/S0022) is a rootkit used by [Turla](https://attack.mitre.org/groups/G0010). (Citation: Kaspersky Turla)",
"meta": {
"external_id": "S0022",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0022",
"https://securelist.com/the-epic-turla-operation/65545/"
],
"synonyms": [
"Uroburos"
]
},
"related": [
{
"dest-uuid": "22332d52-c0c2-443c-9ffb-f08c0d23722c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4",
"value": "Uroburos - S0022"
},
{
"description": "[adbupd](https://attack.mitre.org/software/S0202) is a backdoor used by [PLATINUM](https://attack.mitre.org/groups/G0068) that is similar to [Dipsind](https://attack.mitre.org/software/S0200). (Citation: Microsoft PLATINUM April 2016)",
"meta": {
"external_id": "S0202",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0202",
"https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf"
],
"synonyms": [
"adbupd"
]
},
"related": [
{
"dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "0f1ad2ef-41d4-4b7a-9304-ddae68ea3005",
"value": "adbupd - S0202"
},
{
"description": "[CHOPSTICK](https://attack.mitre.org/software/S0023) is a malware family of modular backdoors used by [APT28](https://attack.mitre.org/groups/G0007). It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. (Citation: FireEye APT28) (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) (Citation: DOJ GRU Indictment Jul 2018) It is tracked separately from the [X-Agent for Android](https://attack.mitre.org/software/S0314).",
"meta": {
"external_id": "S0023",
"mitre_platforms": [
"Windows",
"Linux"
],
"refs": [
"https://attack.mitre.org/software/S0023",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf",
"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf",
"https://www.justice.gov/file/1080281/download",
"https://www.symantec.com/blogs/election-security/apt28-espionage-military-government"
],
"synonyms": [
"CHOPSTICK",
"Backdoor.SofacyX",
"SPLM",
"Xagent",
"X-Agent",
"webhp"
]
},
"related": [
{
"dest-uuid": "56660521-6db4-4e5a-a927-464f22954b7c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "0a32ceea-fa66-47ab-8bde-150dbd6d2e40",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3e2c99f9-66cd-48be-86e9-d7c1c164d87c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "54456690-84de-4538-9101-643e26437e09",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472",
"value": "CHOPSTICK - S0023"
},
{
"description": "[DroidJack](https://attack.mitre.org/software/S0320) is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. (Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)",
"meta": {
"external_id": "S0320",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0320",
"https://www.zscaler.com/blogs/research/super-mario-run-malware-2--droidjack-rat",
"https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app"
],
"synonyms": [
"DroidJack"
]
},
"related": [
{
"dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
"value": "DroidJack - S0320"
},
{
"description": "[Hydraq](https://attack.mitre.org/software/S0203) is a data-theft trojan first used by [Elderwood](https://attack.mitre.org/groups/G0066) in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including [APT17](https://attack.mitre.org/groups/G0025). (Citation: MicroFocus 9002 Aug 2016) (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Trojan.Hydraq Jan 2010) (Citation: ASERT Seven Pointed Dagger Aug 2015) (Citation: FireEye DeputyDog 9002 November 2013) (Citation: ProofPoint GoT 9002 Aug 2017) (Citation: FireEye Sunshop Campaign May 2013) (Citation: PaloAlto 3102 Sept 2015)",
"meta": {
"external_id": "S0203",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0203",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
"https://www.symantec.com/connect/blogs/trojanhydraq-incident",
"https://community.softwaregrp.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/228686#.WosBVKjwZPZ",
"https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf",
"https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html",
"https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures",
"https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html",
"https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/"
],
"synonyms": [
"Hydraq",
"Aurora",
"9002 RAT"
]
},
"related": [
{
"dest-uuid": "70c31066-237a-11e8-8eff-37ef1ad0c703",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "bab647d7-c9d6-4697-8fd2-1295c7429e1f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "2f899e3e-1a46-43ea-8e68-140603ce943d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "73a4793a-ce55-4159-b2a6-208ef29b326f",
"value": "Hydraq - S0203"
},
{
"description": "[ZeroT](https://attack.mitre.org/software/S0230) is a Trojan used by [TA459](https://attack.mitre.org/groups/G0062), often in conjunction with [PlugX](https://attack.mitre.org/software/S0013). (Citation: Proofpoint TA459 April 2017) (Citation: Proofpoint ZeroT Feb 2017)",
"meta": {
"external_id": "S0230",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0230",
"https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts",
"https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
],
"synonyms": [
"ZeroT"
]
},
"related": [
{
"dest-uuid": "ff00fa92-b32e-46b6-88ca-98357ebe3f54",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "9b0aa458-dfa9-48af-87ea-c36d1501376c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "519630c5-f03f-4882-825c-3af924935817",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "4ab44516-ad75-4e43-a280-705dc0420e2f",
"value": "ZeroT - S0230"
},
{
"description": "[Twitoor](https://attack.mitre.org/software/S0302) is an Android malware family that likely spreads by SMS or via malicious URLs. (Citation: ESET-Twitoor)",
"meta": {
"external_id": "S0302",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0302",
"http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/"
],
"synonyms": [
"Twitoor"
]
},
"related": [
{
"dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "41e3fd01-7b83-471f-835d-d2b1dc9a770c",
"value": "Twitoor - S0302"
},
{
"description": "[LOWBALL](https://attack.mitre.org/software/S0042) is malware used by [admin@338](https://attack.mitre.org/groups/G0018). It was used in August 2015 in email messages targeting Hong Kong-based media organizations. (Citation: FireEye admin@338)",
"meta": {
"external_id": "S0042",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0042",
"https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html"
],
"synonyms": [
"LOWBALL"
]
},
"related": [
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b",
"value": "LOWBALL - S0042"
},
{
"description": "[ROKRAT](https://attack.mitre.org/software/S0240) is a cloud-based remote access tool (RAT) used by [APT37](https://attack.mitre.org/groups/G0067). This software has been used to target victims in South Korea. [APT37](https://attack.mitre.org/groups/G0067) used ROKRAT during several campaigns in 2016 through 2018. (Citation: Talos ROKRAT) (Citation: Talos Group123)",
"meta": {
"external_id": "S0240",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0240",
"https://blog.talosintelligence.com/2017/04/introducing-rokrat.html",
"https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html",
"https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html"
],
"synonyms": [
"ROKRAT"
]
},
"related": [
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f",
"value": "ROKRAT - S0240"
},
{
"description": "[Briba](https://attack.mitre.org/software/S0204) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor and download files on to compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Briba May 2012)",
"meta": {
"external_id": "S0204",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0204",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
"https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-2843-99"
],
"synonyms": [
"Briba"
]
},
"related": [
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "79499993-a8d6-45eb-b343-bf58dea5bdde",
"value": "Briba - S0204"
},
{
"description": "[Dyre](https://attack.mitre.org/software/S0024) is a Trojan that has been used for financial gain. \n (Citation: Symantec Dyre June 2015)",
"meta": {
"external_id": "S0024",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0024",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dyre-emerging-threat.pdf"
],
"synonyms": [
"Dyre"
]
},
"related": [
{
"dest-uuid": "15e969e6-f031-4441-a49b-f401332e4b00",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "1ecbcd20-f238-47ef-874b-08ef93266395",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe",
"value": "Dyre - S0024"
},
{
"description": "[CALENDAR](https://attack.mitre.org/software/S0025) is malware used by [APT1](https://attack.mitre.org/groups/G0006) that mimics legitimate Gmail Calendar traffic. (Citation: Mandiant APT1)",
"meta": {
"external_id": "S0025",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0025",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"synonyms": [
"CALENDAR"
]
},
"related": [
{
"dest-uuid": "e2c18713-0a95-4092-a0e9-76358512daad",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283",
"value": "CALENDAR - S0025"
},
{
"description": "[OnionDuke](https://attack.mitre.org/software/S0052) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2013 to 2015. (Citation: F-Secure The Dukes)",
"meta": {
"external_id": "S0052",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0052",
"https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf"
],
"synonyms": [
"OnionDuke"
]
},
"related": [
{
"dest-uuid": "abd10caa-7d4c-4c22-8dae-8d32f13232d7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b136d088-a829-432c-ac26-5529c26d4c7e",
"value": "OnionDuke - S0052"
},
{
"description": "[Naid](https://attack.mitre.org/software/S0205) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Naid June 2012)",
"meta": {
"external_id": "S0205",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0205",
"https://www.symantec.com/security_response/writeup.jsp?docid=2012-061518-4639-99",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf"
],
"synonyms": [
"Naid"
]
},
"related": [
{
"dest-uuid": "170db76b-93f7-4fd1-97fc-55937c079b66",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "48523614-309e-43bf-a2b8-705c2b45d7b2",
"value": "Naid - S0205"
},
{
"description": "[GLOOXMAIL](https://attack.mitre.org/software/S0026) is malware used by [APT1](https://attack.mitre.org/groups/G0006) that mimics legitimate Jabber/XMPP traffic. (Citation: Mandiant APT1)",
"meta": {
"external_id": "S0026",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0026",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"synonyms": [
"GLOOXMAIL",
"Trojan.GTALK"
]
},
"related": [
{
"dest-uuid": "a379f09b-5cec-4bdb-9735-125cef2de073",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2",
"value": "GLOOXMAIL - S0026"
},
{
"description": "[DustySky](https://attack.mitre.org/software/S0062) is multi-stage malware written in .NET that has been used by [Molerats](https://attack.mitre.org/groups/G0021) since May 2015. (Citation: DustySky) (Citation: DustySky2)",
"meta": {
"external_id": "S0062",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0062",
"https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf",
"http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf"
],
"synonyms": [
"DustySky",
"NeD Worm"
]
},
"related": [
{
"dest-uuid": "eedcf785-d011-4e17-96c4-6ff39138ada0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54",
"value": "DustySky - S0062"
},
{
"description": "[InvisiMole](https://attack.mitre.org/software/S0260) is a modular spyware program that has been used by threat actors since at least 2013. [InvisiMole](https://attack.mitre.org/software/S0260) has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. (Citation: ESET InvisiMole June 2018)",
"meta": {
"external_id": "S0260",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0260",
"https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/"
],
"synonyms": [
"InvisiMole"
]
},
"related": [
{
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "46944654-fcc1-4f63-9dad-628102376586",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "47afe41c-4c08-485e-b062-c3bd209a1cce",
"value": "InvisiMole - S0260"
},
{
"description": "[Wiarp](https://attack.mitre.org/software/S0206) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Wiarp May 2012)",
"meta": {
"external_id": "S0206",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0206",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
"https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-1005-99"
],
"synonyms": [
"Wiarp"
]
},
"related": [
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "039814a0-88de-46c5-a4fb-b293db21880a",
"value": "Wiarp - S0206"
},
{
"description": "[OwaAuth](https://attack.mitre.org/software/S0072) is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by [Threat Group-3390](https://attack.mitre.org/groups/G0027). (Citation: Dell TG-3390)",
"meta": {
"external_id": "S0072",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0072",
"https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage"
],
"synonyms": [
"OwaAuth"
]
},
"related": [
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5",
"value": "OwaAuth - S0072"
},
{
"description": "[RogueRobin](https://attack.mitre.org/software/S0270) is a payload used by [DarkHydrus](https://attack.mitre.org/groups/G0079) that has been developed in PowerShell and C#. (Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)",
"meta": {
"external_id": "S0270",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0270",
"https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/",
"https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/"
],
"synonyms": [
"RogueRobin"
]
},
"related": [
{
"dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "8ec6e3b4-b06d-4805-b6aa-af916acc2122",
"value": "RogueRobin - S0270"
},
{
"description": "[Vasport](https://attack.mitre.org/software/S0207) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Vasport May 2012)",
"meta": {
"external_id": "S0207",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0207",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
"https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-5938-99"
],
"synonyms": [
"Vasport"
]
},
"related": [
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "f4d8a2d6-c684-453a-8a14-cf4a94f755c5",
"value": "Vasport - S0207"
},
{
"description": "[Zeroaccess](https://attack.mitre.org/software/S0027) is a kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that attempts to add victims to the ZeroAccess botnet, often for monetary gain. (Citation: Sophos ZeroAccess)",
"meta": {
"external_id": "S0027",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0027",
"https://sophosnews.files.wordpress.com/2012/04/zeroaccess2.pdf"
],
"synonyms": [
"Zeroaccess",
"Trojan.Zeroaccess"
]
},
"related": [
{
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "552462b9-ae79-49dd-855c-5973014e157f",
"value": "Zeroaccess - S0027"
},
{
"description": "[SHIPSHAPE](https://attack.mitre.org/software/S0028) is malware developed by [APT30](https://attack.mitre.org/groups/G0013) that allows propagation and exfiltration of data over removable devices. [APT30](https://attack.mitre.org/groups/G0013) may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)",
"meta": {
"external_id": "S0028",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0028",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
],
"synonyms": [
"SHIPSHAPE"
]
},
"related": [
{
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a",
"value": "SHIPSHAPE - S0028"
},
{
"description": "[Emissary](https://attack.mitre.org/software/S0082) is a Trojan that has been used by [Lotus Blossom](https://attack.mitre.org/groups/G0030). It shares code with [Elise](https://attack.mitre.org/software/S0081), with both Trojans being part of a malware group referred to as LStudio. (Citation: Lotus Blossom Dec 2015)",
"meta": {
"external_id": "S0082",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0082",
"http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/"
],
"synonyms": [
"Emissary"
]
},
"related": [
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "519630c5-f03f-4882-825c-3af924935817",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1",
"value": "Emissary - S0082"
},
{
"description": "[MirageFox](https://attack.mitre.org/software/S0280) is a remote access tool used against Windows systems. It appears to be an upgraded version of a tool known as Mirage, which is a RAT believed to originate in 2012. (Citation: APT15 Intezer June 2018)",
"meta": {
"external_id": "S0280",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0280",
"https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/"
],
"synonyms": [
"MirageFox"
]
},
"related": [
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "46944654-fcc1-4f63-9dad-628102376586",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "e3cedcfe-6515-4348-af65-7f2c4157bf0d",
"value": "MirageFox - S0280"
},
{
"description": "[Pasam](https://attack.mitre.org/software/S0208) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Pasam May 2012)",
"meta": {
"external_id": "S0208",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0208",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
"https://www.symantec.com/security_response/writeup.jsp?docid=2012-050412-4128-99"
],
"synonyms": [
"Pasam"
]
},
"related": [
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "e811ff6a-4cef-4856-a6ae-a7daf9ed39ae",
"value": "Pasam - S0208"
},
{
"description": "is a rootkit trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Darkmoon Aug 2005)\n\nAliases: Darkmoon",
"meta": {
"external_id": "S0209",
"refs": [
"https://attack.mitre.org/software/S0209"
]
},
"related": [
{
"dest-uuid": "81ca4876-b4a4-43e9-b8a9-8a88709dd3d2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b42378e0-f147-496f-992a-26a49705395b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "revoked-by"
}
],
"uuid": "310f437b-29e7-4844-848c-7220868d074a",
"value": "Darkmoon - S0209"
},
{
"description": "[Gooligan](https://attack.mitre.org/software/S0290) is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. [Gooligan](https://attack.mitre.org/software/S0290) has been described as part of the Ghost Push Android malware family. (Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)",
"meta": {
"external_id": "S0290",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0290",
"http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/",
"https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi",
"https://blog.lookout.com/blog/2016/12/01/ghost-push-gooligan/"
],
"synonyms": [
"Gooligan",
"Ghost Push"
]
},
"related": [
{
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "20d56cd6-8dff-4871-9889-d32d254816de",
"value": "Gooligan - S0290"
},
{
"description": "[MazarBOT](https://attack.mitre.org/software/S0303) is Android malware that was distributed via SMS in Denmark in 2016. (Citation: Tripwire-MazarBOT)",
"meta": {
"external_id": "S0303",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0303",
"https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"
],
"synonyms": [
"MazarBOT"
]
},
"related": [
{
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "5ddf81ea-2c06-497b-8c30-5f1ab89a40f9",
"value": "MazarBOT - S0303"
},
{
"description": "[NetTraveler](https://attack.mitre.org/software/S0033) is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013. (Citation: Kaspersky NetTraveler)",
"meta": {
"external_id": "S0033",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0033",
"http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf"
],
"synonyms": [
"NetTraveler"
]
},
"related": [
{
"dest-uuid": "59b70721-6fed-4805-afa5-4ff2554bef81",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3a26ee44-3224-48f3-aefb-3978c972d928",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e",
"value": "NetTraveler - S0033"
},
{
"description": "[BUBBLEWRAP](https://attack.mitre.org/software/S0043) is a full-featured, second-stage backdoor used by the [admin@338](https://attack.mitre.org/groups/G0018) group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. (Citation: FireEye admin@338)",
"meta": {
"external_id": "S0043",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0043",
"https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html"
],
"synonyms": [
"BUBBLEWRAP",
"Backdoor.APT.FakeWinHTTPHelper"
]
},
"related": [
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b",
"value": "BUBBLEWRAP - S0043"
},
{
"description": "[NETEAGLE](https://attack.mitre.org/software/S0034) is a backdoor developed by [APT30](https://attack.mitre.org/groups/G0013) with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.” (Citation: FireEye APT30)",
"meta": {
"external_id": "S0034",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0034",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
],
"synonyms": [
"NETEAGLE"
]
},
"related": [
{
"dest-uuid": "3bb8052e-8ed2-48e3-a2cf-7358bae8c6b5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2",
"value": "NETEAGLE - S0034"
},
{
"description": "[Octopus](https://attack.mitre.org/software/S0340) is a Windows Trojan.(Citation: Securelist Octopus Oct 2018)",
"meta": {
"external_id": "S0340",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0340",
"https://securelist.com/octopus-infested-seas-of-central-asia/88200/"
],
"synonyms": [
"Octopus"
]
},
"related": [
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "e2031fd5-02c2-43d4-85e2-b64f474530c2",
"value": "Octopus - S0340"
},
{
"description": "[SPACESHIP](https://attack.mitre.org/software/S0035) is malware developed by [APT30](https://attack.mitre.org/groups/G0013) that allows propagation and exfiltration of data over removable devices. [APT30](https://attack.mitre.org/groups/G0013) may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)",
"meta": {
"external_id": "S0035",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0035",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
],
"synonyms": [
"SPACESHIP"
]
},
"related": [
{
"dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6415f09-df0e-48de-9aba-928c902b7549",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "8b880b41-5139-4807-baa9-309690218719",
"value": "SPACESHIP - S0035"
},
{
"description": "[SeaDuke](https://attack.mitre.org/software/S0053) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with [CozyCar](https://attack.mitre.org/software/S0046). (Citation: F-Secure The Dukes)",
"meta": {
"external_id": "S0053",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0053",
"https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf"
],
"synonyms": [
"SeaDuke",
"SeaDaddy",
"SeaDesk"
]
},
"related": [
{
"dest-uuid": "1d07212e-6292-40a4-a5e9-30aef83b6207",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14",
"value": "SeaDuke - S0053"
},
{
"description": "[zwShell](https://attack.mitre.org/software/S0350) is a remote access tool (RAT) written in Delphi that has been used by [Night Dragon](https://attack.mitre.org/groups/G0014).(Citation: McAfee Night Dragon)",
"meta": {
"external_id": "S0350",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0350",
"https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf"
],
"synonyms": [
"zwShell"
]
},
"related": [
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "54e8672d-5338-4ad1-954a-a7c986bee530",
"value": "zwShell - S0350"
},
{
"description": "[BONDUPDATER](https://attack.mitre.org/software/S0360) is a PowerShell backdoor used by [OilRig](https://attack.mitre.org/groups/G0049). It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig Sep 2018)",
"meta": {
"external_id": "S0360",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0360",
"https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html",
"https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/"
],
"synonyms": [
"BONDUPDATER"
]
},
"related": [
{
"dest-uuid": "54456690-84de-4538-9101-643e26437e09",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "d5268dfb-ae2b-4e0e-ac07-02a460613d8a",
"value": "BONDUPDATER - S0360"
},
{
"description": "[FLASHFLOOD](https://attack.mitre.org/software/S0036) is malware developed by [APT30](https://attack.mitre.org/groups/G0013) that allows propagation and exfiltration of data over removable devices. [APT30](https://attack.mitre.org/groups/G0013) may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)",
"meta": {
"external_id": "S0036",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0036",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
],
"synonyms": [
"FLASHFLOOD"
]
},
"related": [
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a",
"value": "FLASHFLOOD - S0036"
},
{
"description": "[SHOTPUT](https://attack.mitre.org/software/S0063) is a custom backdoor used by [APT3](https://attack.mitre.org/groups/G0022). (Citation: FireEye Clandestine Wolf)",
"meta": {
"external_id": "S0063",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0063",
"https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html",
"https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html"
],
"synonyms": [
"SHOTPUT",
"Backdoor.APT.CookieCutter",
"Pirpi"
]
},
"related": [
{
"dest-uuid": "4859330d-c6a5-4b9c-b45b-536ec983cd4a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb",
"value": "SHOTPUT - S0063"
},
{
"description": "[HAMMERTOSS](https://attack.mitre.org/software/S0037) is a backdoor that was used by [APT29](https://attack.mitre.org/groups/G0016) in 2015. (Citation: FireEye APT29) (Citation: F-Secure The Dukes)",
"meta": {
"external_id": "S0037",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0037",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf",
"https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf"
],
"synonyms": [
"HAMMERTOSS",
"HammerDuke",
"NetDuke"
]
},
"related": [
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4",
"value": "HAMMERTOSS - S0037"
},
{
"description": "[ASPXSpy](https://attack.mitre.org/software/S0073) is a Web shell. It has been modified by [Threat Group-3390](https://attack.mitre.org/groups/G0027) actors to create the ASPXTool version. (Citation: Dell TG-3390)",
"meta": {
"external_id": "S0073",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0073",
"https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage"
],
"synonyms": [
"ASPXSpy",
"ASPXTool"
]
},
"related": [
{
"dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2",
"value": "ASPXSpy - S0073"
},
{
"description": "[SamSam](https://attack.mitre.org/software/S0370) is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.(Citation: US-CERT SamSam 2018)(Citation: Talos SamSam Jan 2018)(Citation: Sophos SamSam Apr 2018)(Citation: Symantec SamSam Oct 2018)",
"meta": {
"external_id": "S0370",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0370",
"https://www.us-cert.gov/ncas/alerts/AA18-337A",
"https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html",
"https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf",
"https://www.symantec.com/blogs/threat-intelligence/samsam-targeted-ransomware-attacks"
],
"synonyms": [
"SamSam",
"Samas"
]
},
"related": [
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "519630c5-f03f-4882-825c-3af924935817",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "4d56e6e9-1a6d-46e3-896c-dfdf3cc96e62",
"value": "SamSam - S0370"
},
{
"description": "[StoneDrill](https://attack.mitre.org/software/S0380) is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with [APT33](https://attack.mitre.org/groups/G0064).(Citation: FireEye APT33 Sept 2017)(Citation: Kaspersky StoneDrill 2017)",
"meta": {
"external_id": "S0380",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0380",
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf"
],
"synonyms": [
"StoneDrill",
"DROPSHOT"
]
},
"related": [
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "8dbadf80-468c-4a62-b817-4e4d8b606887",
"value": "StoneDrill - S0380"
},
{
"description": "[Duqu](https://attack.mitre.org/software/S0038) is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu)",
"meta": {
"external_id": "S0038",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0038",
"https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf"
],
"synonyms": [
"Duqu"
]
},
"related": [
{
"dest-uuid": "809b54c3-dd6a-4ec9-8c3a-a27b9baa6732",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
"value": "Duqu - S0038"
},
{
"description": "[Misdat](https://attack.mitre.org/software/S0083) is a backdoor that was used by [Dust Storm](https://attack.mitre.org/groups/G0031) from 2010 to 2011. (Citation: Cylance Dust Storm)",
"meta": {
"external_id": "S0083",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0083",
"https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf"
],
"synonyms": [
"Misdat"
]
},
"related": [
{
"dest-uuid": "d1597713-fe7a-45bd-8b59-1a13c7e097d8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039",
"value": "Misdat - S0083"
},
{
"description": "[Adups](https://attack.mitre.org/software/S0309) is software that was pre-installed onto Android devices, including those made by BLU Products. The software was reportedly designed to help a Chinese phone manufacturer monitor user behavior, transferring sensitive data to a Chinese server. (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)",
"meta": {
"external_id": "S0309",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0309",
"https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html",
"http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534"
],
"synonyms": [
"Adups"
]
},
"related": [
{
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"value": "Adups - S0309"
},
{
"description": "[SQLRat](https://attack.mitre.org/software/S0390) is malware that executes SQL scripts to avoid leaving traditional host artifacts. [FIN7](https://attack.mitre.org/groups/G0046) has been observed using it.(Citation: Flashpoint FIN 7 March 2019)",
"meta": {
"external_id": "S0390",
"refs": [
"https://attack.mitre.org/software/S0390",
"https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/ "
],
"synonyms": [
"SQLRat"
]
},
"related": [
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "8fc6c9e7-a162-4ca4-a488-f1819e9a7b06",
"value": "SQLRat - S0390"
},
{
"description": "[JHUHUGIT](https://attack.mitre.org/software/S0044) is malware used by [APT28](https://attack.mitre.org/groups/G0007). It is based on Carberp source code and serves as reconnaissance malware. (Citation: Kaspersky Sofacy) (Citation: F-Secure Sofacy 2015) (Citation: ESET Sednit Part 1) (Citation: FireEye APT28 January 2017)",
"meta": {
"external_id": "S0044",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0044",
"https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/",
"https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/",
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf",
"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf",
"https://www.symantec.com/blogs/election-security/apt28-espionage-military-government",
"https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html",
"https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/"
],
"synonyms": [
"JHUHUGIT",
"Trojan.Sofacy",
"Seduploader",
"JKEYSKW",
"Sednit",
"GAMEFISH",
"SofacyCarberp"
]
},
"related": [
{
"dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2",
"value": "JHUHUGIT - S0044"
},
{
"description": "[ADVSTORESHELL](https://attack.mitre.org/software/S0045) is a spying backdoor that has been used by [APT28](https://attack.mitre.org/groups/G0007) from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 2)",
"meta": {
"external_id": "S0045",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0045",
"https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/",
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf"
],
"synonyms": [
"ADVSTORESHELL",
"AZZY",
"EVILTOSS",
"NETUI",
"Sedreco"
]
},
"related": [
{
"dest-uuid": "6374fc53-9a0d-41ba-b9cf-2a9765d69fbb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "21ab9e14-602a-4a76-a308-dbf5d6a91d75",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"value": "ADVSTORESHELL - S0045"
},
{
"description": "[CloudDuke](https://attack.mitre.org/software/S0054) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) in 2015. (Citation: F-Secure The Dukes) (Citation: Securelist Minidionis July 2015)",
"meta": {
"external_id": "S0054",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0054",
"https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf",
"https://securelist.com/minidionis-one-more-apt-with-a-usage-of-cloud-drives/71443/"
],
"synonyms": [
"CloudDuke",
"MiniDionis",
"CloudLook"
]
},
"related": [
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "cbf646f1-7db5-4dc6-808b-0094313949df",
"value": "CloudDuke - S0054"
},
{
"description": "[CozyCar](https://attack.mitre.org/software/S0046) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. (Citation: F-Secure The Dukes)",
"meta": {
"external_id": "S0046",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0046",
"https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf"
],
"synonyms": [
"CozyCar",
"CozyDuke",
"CozyBear",
"Cozer",
"EuroAPT"
]
},
"related": [
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754",
"value": "CozyCar - S0046"
},
{
"description": "[ELMER](https://attack.mitre.org/software/S0064) is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by [APT16](https://attack.mitre.org/groups/G0023). (Citation: FireEye EPS Awakens Part 2)",
"meta": {
"external_id": "S0064",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0064",
"https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html"
],
"synonyms": [
"ELMER"
]
},
"related": [
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c",
"value": "ELMER - S0064"
},
{
"description": "[Sakula](https://attack.mitre.org/software/S0074) is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015. (Citation: Dell Sakula)",
"meta": {
"external_id": "S0074",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0074",
"http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/"
],
"synonyms": [
"Sakula",
"Sakurel",
"VIPER"
]
},
"related": [
{
"dest-uuid": "3eca2d5f-41bf-4ad4-847f-df18befcdc44",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f6c137f0-979c-4ce2-a0e5-2a080a5a1746",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "96b08451-b27a-4ff6-893f-790e26393a8e",
"value": "Sakula - S0074"
},
{
"description": "[PinchDuke](https://attack.mitre.org/software/S0048) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2008 to 2010. (Citation: F-Secure The Dukes)",
"meta": {
"external_id": "S0048",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0048",
"https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf"
],
"synonyms": [
"PinchDuke"
]
},
"related": [
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164",
"value": "PinchDuke - S0048"
},
{
"description": "[GeminiDuke](https://attack.mitre.org/software/S0049) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2009 to 2012. (Citation: F-Secure The Dukes)",
"meta": {
"external_id": "S0049",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0049",
"https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf"
],
"synonyms": [
"GeminiDuke"
]
},
"related": [
{
"dest-uuid": "6a28a648-30c0-4d1d-bd67-81a8dc6486ba",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6",
"value": "GeminiDuke - S0049"
},
{
"description": "[RARSTONE](https://attack.mitre.org/software/S0055) is malware used by the [Naikon](https://attack.mitre.org/groups/G0019) group that has some characteristics similar to [PlugX](https://attack.mitre.org/software/S0013). (Citation: Aquino RARSTONE)",
"meta": {
"external_id": "S0055",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0055",
"http://blog.trendmicro.com/trendlabs-security-intelligence/rarstone-found-in-targeted-attacks/"
],
"synonyms": [
"RARSTONE"
]
},
"related": [
{
"dest-uuid": "5d2dd6ad-6bb2-45d3-b295-e125d3399c8d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "8c553311-0baa-4146-997a-f79acef3d831",
"value": "RARSTONE - S0055"
},
{
"description": "[SslMM](https://attack.mitre.org/software/S0058) is a full-featured backdoor used by [Naikon](https://attack.mitre.org/groups/G0019) that has multiple variants. (Citation: Baumgartner Naikon 2015)",
"meta": {
"external_id": "S0058",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0058",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf"
],
"synonyms": [
"SslMM"
]
},
"related": [
{
"dest-uuid": "009db412-762d-4256-8df9-eb213be01ffd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421",
"value": "SslMM - S0058"
},
{
"description": "[WinMM](https://attack.mitre.org/software/S0059) is a full-featured, simple backdoor used by [Naikon](https://attack.mitre.org/groups/G0019). (Citation: Baumgartner Naikon 2015)",
"meta": {
"external_id": "S0059",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0059",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf"
],
"synonyms": [
"WinMM"
]
},
"related": [
{
"dest-uuid": "6a100902-7204-4f20-b838-545ed86d4428",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "22addc7b-b39f-483d-979a-1b35147da5de",
"value": "WinMM - S0059"
},
{
"description": "[FakeM](https://attack.mitre.org/software/S0076) is a shellcode-based Windows backdoor that has been used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029). (Citation: Scarlet Mimic Jan 2016)",
"meta": {
"external_id": "S0076",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0076",
"http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
],
"synonyms": [
"FakeM"
]
},
"related": [
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "bb3c1098-d654-4620-bf40-694386d28921",
"value": "FakeM - S0076"
},
{
"description": "[pngdowner](https://attack.mitre.org/software/S0067) is malware used by [Putter Panda](https://attack.mitre.org/groups/G0024). It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple \"download-and-\nexecute\" utility. (Citation: CrowdStrike Putter Panda)",
"meta": {
"external_id": "S0067",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0067",
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"
],
"synonyms": [
"pngdowner"
]
},
"related": [
{
"dest-uuid": "fb4313ea-1fb6-4766-8b5c-b41fd347e4c5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d",
"value": "pngdowner - S0067"
},
{
"description": "[ZLib](https://attack.mitre.org/software/S0086) is a full-featured backdoor that was used as a second-stage implant by [Dust Storm](https://attack.mitre.org/groups/G0031) from 2014 to 2015. It is malware and should not be confused with the compression library from which its name is derived. (Citation: Cylance Dust Storm)",
"meta": {
"external_id": "S0086",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0086",
"https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf"
],
"synonyms": [
"ZLib"
]
},
"related": [
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "166c0eca-02fd-424a-92c0-6b5106994d31",
"value": "ZLib - S0086"
},
{
"description": "[httpclient](https://attack.mitre.org/software/S0068) is malware used by [Putter Panda](https://attack.mitre.org/groups/G0024). It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool. (Citation: CrowdStrike Putter Panda)",
"meta": {
"external_id": "S0068",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0068",
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"
],
"synonyms": [
"httpclient"
]
},
"related": [
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0",
"value": "httpclient - S0068"
},
{
"description": "[BLACKCOFFEE](https://attack.mitre.org/software/S0069) is malware that has been used by several Chinese groups since at least 2013. (Citation: FireEye APT17) (Citation: FireEye Periscope March 2018)",
"meta": {
"external_id": "S0069",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0069",
"https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf",
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"
],
"synonyms": [
"BLACKCOFFEE"
]
},
"related": [
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43",
"value": "BLACKCOFFEE - S0069"
},
{
"description": "[CallMe](https://attack.mitre.org/software/S0077) is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell. (Citation: Scarlet Mimic Jan 2016)",
"meta": {
"external_id": "S0077",
"mitre_platforms": [
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0077",
"http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
],
"synonyms": [
"CallMe"
]
},
"related": [
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5",
"value": "CallMe - S0077"
},
{
"description": "[Psylo](https://attack.mitre.org/software/S0078) is a shellcode-based Trojan that has been used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029). It has similar characteristics as [FakeM](https://attack.mitre.org/software/S0076). (Citation: Scarlet Mimic Jan 2016)",
"meta": {
"external_id": "S0078",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0078",
"http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
],
"synonyms": [
"Psylo"
]
},
"related": [
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b",
"value": "Psylo - S0078"
},
{
"description": "[MobileOrder](https://attack.mitre.org/software/S0079) is a Trojan intended to compromise Android mobile devices. It has been used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029). (Citation: Scarlet Mimic Jan 2016)",
"meta": {
"external_id": "S0079",
"refs": [
"https://attack.mitre.org/software/S0079",
"http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
],
"synonyms": [
"MobileOrder"
]
},
"related": [
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4",
"value": "MobileOrder - S0079"
},
{
"description": "[Kasidet](https://attack.mitre.org/software/S0088) is a backdoor that has been dropped by using malicious VBA macros. (Citation: Zscaler Kasidet)",
"meta": {
"external_id": "S0088",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0088",
"http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html"
],
"synonyms": [
"Kasidet"
]
},
"related": [
{
"dest-uuid": "3760920e-4d1a-40d8-9e60-508079499076",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2",
"value": "Kasidet - S0088"
},
{
"description": "[BlackEnergy](https://attack.mitre.org/software/S0089) is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. (Citation: F-Secure BlackEnergy 2014)",
"meta": {
"external_id": "S0089",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0089",
"https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf"
],
"synonyms": [
"BlackEnergy",
"Black Energy"
]
},
"related": [
{
"dest-uuid": "5a22cad7-65fa-4b7a-a7aa-7915a6101efa",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "82c644ab-550a-4a83-9b35-d545f4719069",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"value": "BlackEnergy - S0089"
},
{
"description": "[H1N1](https://attack.mitre.org/software/S0132) is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality. (Citation: Cisco H1N1 Part 1)",
"meta": {
"external_id": "S0132",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0132",
"http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities"
],
"synonyms": [
"H1N1"
]
},
"related": [
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd",
"value": "H1N1 - S0132"
},
{
"description": "[ROCKBOOT](https://attack.mitre.org/software/S0112) is a [Bootkit](https://attack.mitre.org/techniques/T1067) that has been used by an unidentified, suspected China-based group. (Citation: FireEye Bootkits)",
"meta": {
"external_id": "S0112",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0112",
"https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html"
],
"synonyms": [
"ROCKBOOT"
]
},
"related": [
{
"dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "cba78a1c-186f-4112-9e6a-be1839f030f7",
"value": "ROCKBOOT - S0112"
},
{
"description": "[Linfo](https://attack.mitre.org/software/S0211) is a rootkit trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Linfo May 2012)",
"meta": {
"external_id": "S0211",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0211",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
"https://www.symantec.com/security_response/writeup.jsp?docid=2012-051605-2535-99"
],
"synonyms": [
"Linfo"
]
},
"related": [
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "e9e9bfe2-76f4-4870-a2a1-b7af89808613",
"value": "Linfo - S0211"
},
{
"description": "[TINYTYPHON](https://attack.mitre.org/software/S0131) is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. (Citation: Forcepoint Monsoon)",
"meta": {
"external_id": "S0131",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0131",
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
],
"synonyms": [
"TINYTYPHON"
]
},
"related": [
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca",
"value": "TINYTYPHON - S0131"
},
{
"description": "[Prikormka](https://attack.mitre.org/software/S0113) is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008. (Citation: ESET Operation Groundbait)",
"meta": {
"external_id": "S0113",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0113",
"http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf"
],
"synonyms": [
"Prikormka"
]
},
"related": [
{
"dest-uuid": "67ade442-63f2-4319-bdcd-d2564b963ed6",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "46944654-fcc1-4f63-9dad-628102376586",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
"value": "Prikormka - S0113"
},
{
"description": "[YiSpecter](https://attack.mitre.org/software/S0311) iOS malware that affects both jailbroken and non-jailbroken iOS devices. It is also unique because it abuses private APIs in the iOS system to implement functionality. (Citation: PaloAlto-YiSpecter)",
"meta": {
"external_id": "S0311",
"mitre_platforms": [
"iOS"
],
"refs": [
"https://attack.mitre.org/software/S0311",
"https://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"
],
"synonyms": [
"YiSpecter"
]
},
"related": [
{
"dest-uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "a15c9357-2be0-4836-beec-594f28b9b4a9",
"value": "YiSpecter - S0311"
},
{
"description": "[BOOTRASH](https://attack.mitre.org/software/S0114) is a [Bootkit](https://attack.mitre.org/techniques/T1067) that targets Windows operating systems. It has been used by threat actors that target the financial sector. (Citation: MTrends 2016)",
"meta": {
"external_id": "S0114",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0114",
"https://www.fireeye.com/content/dam/fireeye-www/regional/fr_FR/offers/pdfs/ig-mtrends-2016.pdf"
],
"synonyms": [
"BOOTRASH"
]
},
"related": [
{
"dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "da2ef4a9-7cbe-400a-a379-e2f230f28db3",
"value": "BOOTRASH - S0114"
},
{
"description": "[Winnti](https://attack.mitre.org/software/S0141) is a Trojan that has been used by multiple groups to carry out intrusions in varied regions from at least 2010 to 2016. One of the groups using this malware is referred to by the same name, [Winnti Group](https://attack.mitre.org/groups/G0044); however, reporting indicates a second distinct group, [Axiom](https://attack.mitre.org/groups/G0001), also uses the malware. (Citation: Kaspersky Winnti April 2013) (Citation: Microsoft Winnti Jan 2017) (Citation: Novetta Winnti April 2015)",
"meta": {
"external_id": "S0141",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0141",
"https://securelist.com/winnti-more-than-just-a-game/37029/",
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/",
"http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf"
],
"synonyms": [
"Winnti"
]
},
"related": [
{
"dest-uuid": "9b3a4cff-1c5a-4fd6-b49c-27240b6d622c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "d3afa961-a80c-4043-9509-282cdf69ab21",
"value": "Winnti - S0141"
},
{
"description": "[HALFBAKED](https://attack.mitre.org/software/S0151) is a malware family consisting of multiple components intended to establish persistence in victim networks. (Citation: FireEye FIN7 April 2017)",
"meta": {
"external_id": "S0151",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0151",
"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
],
"synonyms": [
"HALFBAKED"
]
},
"related": [
{
"dest-uuid": "2815a353-cd56-4ed0-8581-812b94f7a326",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "71ac10de-1103-40a7-b65b-f97dab9769bf",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f",
"value": "HALFBAKED - S0151"
},
{
"description": "[Crimson](https://attack.mitre.org/software/S0115) is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims. (Citation: Proofpoint Operation Transparent Tribe March 2016)",
"meta": {
"external_id": "S0115",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0115",
"https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf"
],
"synonyms": [
"Crimson",
"MSIL/Crimson"
]
},
"related": [
{
"dest-uuid": "8d8efbc6-d1b7-4ec8-bab3-591edba337d0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "858edfb8-793a-430b-8acc-4310e7d2f0d3",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a61fc694-a88a-484d-a648-db35b49932fd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2",
"value": "Crimson - S0115"
},
{
"description": "[XAgentOSX](https://attack.mitre.org/software/S0161) is a trojan that has been used by [APT28](https://attack.mitre.org/groups/G0007) on OS X and appears to be a port of their standard [CHOPSTICK](https://attack.mitre.org/software/S0023) or XAgent trojan. (Citation: XAgentOSX 2017)",
"meta": {
"external_id": "S0161",
"mitre_platforms": [
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0161",
"https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/",
"https://www.symantec.com/blogs/election-security/apt28-espionage-military-government"
],
"synonyms": [
"XAgentOSX",
"OSX.Sofacy"
]
},
"related": [
{
"dest-uuid": "5930509b-7793-4db9-bdfc-4edda7709d0d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069",
"value": "XAgentOSX - S0161"
},
{
"description": "[Felismus](https://attack.mitre.org/software/S0171) is a modular backdoor that has been used by [Sowbug](https://attack.mitre.org/groups/G0054). (Citation: Symantec Sowbug Nov 2017) (Citation: Forcepoint Felismus Mar 2017)",
"meta": {
"external_id": "S0171",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0171",
"https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments",
"https://blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware"
],
"synonyms": [
"Felismus"
]
},
"related": [
{
"dest-uuid": "07a41ea7-17b2-4852-bfd7-54211c477dc0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1",
"value": "Felismus - S0171"
},
{
"description": "[XTunnel](https://attack.mitre.org/software/S0117) a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by [APT28](https://attack.mitre.org/groups/G0007) during the compromise of the Democratic National Committee. (Citation: Crowdstrike DNC June 2016) (Citation: Invincea XTunnel) (Citation: ESET Sednit Part 2)",
"meta": {
"external_id": "S0117",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0117",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/",
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf",
"https://www.symantec.com/blogs/election-security/apt28-espionage-military-government"
],
"synonyms": [
"XTunnel",
"Trojan.Shunnael",
"X-Tunnel",
"XAPS"
]
},
"related": [
{
"dest-uuid": "6d180bd7-3c77-4faf-b98b-dc2ab5f49101",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "53089817-6d65-4802-a7d2-5ccc3d919b74",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "519630c5-f03f-4882-825c-3af924935817",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab",
"value": "XTunnel - S0117"
},
{
"description": "[FALLCHILL](https://attack.mitre.org/software/S0181) is a RAT that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other [Lazarus Group](https://attack.mitre.org/groups/G0032) malware or delivered when a victim unknowingly visits a compromised website. (Citation: US-CERT FALLCHILL Nov 2017)",
"meta": {
"external_id": "S0181",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0181",
"https://www.us-cert.gov/ncas/alerts/TA17-318A"
],
"synonyms": [
"FALLCHILL"
]
},
"related": [
{
"dest-uuid": "e0bea149-2def-484f-b658-f782a4f94815",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "0a52e73b-d7e9-45ae-9bda-46568f753931",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e",
"value": "FALLCHILL - S0181"
},
{
"description": "[Nidiran](https://attack.mitre.org/software/S0118) is a custom backdoor developed and used by [Suckfly](https://attack.mitre.org/groups/G0039). It has been delivered via strategic web compromise. (Citation: Symantec Suckfly March 2016)",
"meta": {
"external_id": "S0118",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0118",
"http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates"
],
"synonyms": [
"Nidiran",
"Backdoor.Nidiran"
]
},
"related": [
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe",
"value": "Nidiran - S0118"
},
{
"description": "[CORALDECK](https://attack.mitre.org/software/S0212) is an exfiltration tool used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)",
"meta": {
"external_id": "S0212",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0212",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
],
"synonyms": [
"CORALDECK"
]
},
"related": [
{
"dest-uuid": "becf81e5-f989-4093-a67d-d55a0483885f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "8ab98e25-1672-4b5f-a2fb-e60f08a5ea9e",
"value": "CORALDECK - S0212"
},
{
"description": "A Linux rootkit that provides backdoor access and hides from defenders.",
"meta": {
"external_id": "S0221",
"mitre_platforms": [
"Linux"
],
"refs": [
"https://attack.mitre.org/software/S0221",
"https://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/?_ga=2.180041126.367598458.1505420282-1759340220.1502477046"
],
"synonyms": [
"Umbreon"
]
},
"related": [
{
"dest-uuid": "2a18f5dd-40fc-444b-a7c6-85f94b3eee13",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "637000f7-4363-44e0-b795-9cfb7a3dc460",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "3d8e547d-9456-4f32-a895-dc86134e282f",
"value": "Umbreon - S0221"
},
{
"description": "[DOGCALL](https://attack.mitre.org/software/S0213) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067) that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. (Citation: FireEye APT37 Feb 2018)",
"meta": {
"external_id": "S0213",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0213",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
],
"synonyms": [
"DOGCALL"
]
},
"related": [
{
"dest-uuid": "a5e851b4-e046-43b6-bc6e-c6c008e3c5aa",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "0852567d-7958-4f4b-8947-4f840ec8d57d",
"value": "DOGCALL - S0213"
},
{
"description": "[HummingWhale](https://attack.mitre.org/software/S0321) is an Android malware family that performs ad fraud. (Citation: ArsTechnica-HummingWhale)",
"meta": {
"external_id": "S0321",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0321",
"http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/"
],
"synonyms": [
"HummingWhale"
]
},
"related": [
{
"dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "6447e3a1-ef4d-44b1-99d5-6b1c4888674f",
"value": "HummingWhale - S0321"
},
{
"description": "[WireLurker](https://attack.mitre.org/software/S0312) is a family of macOS malware that targets iOS devices connected over USB. (Citation: PaloAlto-WireLurker)",
"meta": {
"external_id": "S0312",
"mitre_platforms": [
"iOS"
],
"refs": [
"https://attack.mitre.org/software/S0312",
"https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/"
],
"synonyms": [
"WireLurker"
]
},
"related": [
{
"dest-uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb",
"value": "WireLurker - S0312"
},
{
"description": "[RATANKBA](https://attack.mitre.org/software/S0241) is a remote controller tool used by [Lazarus Group](https://attack.mitre.org/groups/G0032). [RATANKBA](https://attack.mitre.org/software/S0241) has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. [RATANKBA](https://attack.mitre.org/software/S0241) has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. (Citation: Lazarus RATANKBA) (Citation: RATANKBA)",
"meta": {
"external_id": "S0241",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0241",
"https://blog.trendmicro.com/trendlabs-security-intelligence/ratankba-watering-holes-against-enterprises/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/"
],
"synonyms": [
"RATANKBA"
]
},
"related": [
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "9b325b06-35a1-457d-be46-a4ecc0b7ff0c",
"value": "RATANKBA - S0241"
},
{
"description": "[HAPPYWORK](https://attack.mitre.org/software/S0214) is a downloader used by [APT37](https://attack.mitre.org/groups/G0067) to target South Korean government and financial victims in November 2016. (Citation: FireEye APT37 Feb 2018)",
"meta": {
"external_id": "S0214",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0214",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
],
"synonyms": [
"HAPPYWORK"
]
},
"related": [
{
"dest-uuid": "656cd201-d57a-4a2f-a201-531eb4922a72",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "211cfe9f-2676-4e1c-a5f5-2c8091da2a68",
"value": "HAPPYWORK - S0214"
},
{
"description": "[StreamEx](https://attack.mitre.org/software/S0142) is a malware family that has been used by [Deep Panda](https://attack.mitre.org/groups/G0009) since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. (Citation: Cylance Shell Crew Feb 2017)",
"meta": {
"external_id": "S0142",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0142",
"https://www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar"
],
"synonyms": [
"StreamEx"
]
},
"related": [
{
"dest-uuid": "9991ace8-1a62-498c-a9ef-19d474deb505",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86",
"value": "StreamEx - S0142"
},
{
"description": "[Pisloader](https://attack.mitre.org/software/S0124) is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by [APT18](https://attack.mitre.org/groups/G0026) and is similar to another malware family, [HTTPBrowser](https://attack.mitre.org/software/S0070), that has been used by the group. (Citation: Palo Alto DNS Requests)",
"meta": {
"external_id": "S0124",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0124",
"http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/"
],
"synonyms": [
"Pisloader"
]
},
"related": [
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236",
"value": "Pisloader - S0124"
},
{
"description": "[KARAE](https://attack.mitre.org/software/S0215) is a backdoor typically used by [APT37](https://attack.mitre.org/groups/G0067) as first-stage malware. (Citation: FireEye APT37 Feb 2018)",
"meta": {
"external_id": "S0215",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0215",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
],
"synonyms": [
"KARAE"
]
},
"related": [
{
"dest-uuid": "70ca8408-bc45-4d39-acd2-9190ba15ea97",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "3c02fb1f-cbdb-48f5-abaf-8c81d6e0c322",
"value": "KARAE - S0215"
},
{
"description": "[EvilGrab](https://attack.mitre.org/software/S0152) is a malware family with common reconnaissance capabilities. It has been deployed by [menuPass](https://attack.mitre.org/groups/G0045) via malicious Microsoft Office documents as part of spearphishing campaigns. (Citation: PWC Cloud Hopper Technical Annex April 2017)",
"meta": {
"external_id": "S0152",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0152",
"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf"
],
"synonyms": [
"EvilGrab"
]
},
"related": [
{
"dest-uuid": "c9b4ec27-0a43-4671-a967-bcac5df0e056",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "c542f369-f06d-4168-8c84-fdf5fc7f2a8d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "438c6d0f-03f0-4b49-89d2-40bf5349c3fc",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78",
"value": "EvilGrab - S0152"
},
{
"description": "[Remsec](https://attack.mitre.org/software/S0125) is a modular backdoor that has been used by [Strider](https://attack.mitre.org/groups/G0041) and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua. (Citation: Symantec Strider Blog)",
"meta": {
"external_id": "S0125",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0125",
"http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets",
"https://securelist.com/faq-the-projectsauron-apt/75533/"
],
"synonyms": [
"Remsec",
"Backdoor.Remsec",
"ProjectSauron"
]
},
"related": [
{
"dest-uuid": "6a3c3fbc-97ec-4938-b64e-2679e4b73db9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6415f09-df0e-48de-9aba-928c902b7549",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b8c5c9dd-a662-479d-9428-ae745872537c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"value": "Remsec - S0125"
},
{
"description": "[Zebrocy](https://attack.mitre.org/software/S0251) is a Trojan that has been used by [APT28](https://attack.mitre.org/groups/G0007) since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, and VB.NET. (Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)",
"meta": {
"external_id": "S0251",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0251",
"https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/",
"https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/",
"https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/",
"https://www.cyberscoop.com/apt28-brexit-phishing-accenture/",
"https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50"
],
"synonyms": [
"Zebrocy",
"Zekapab"
]
},
"related": [
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "a4f57468-fbd5-49e4-8476-52088220b92d",
"value": "Zebrocy - S0251"
},
{
"description": "[ComRAT](https://attack.mitre.org/software/S0126) is a remote access tool suspected of being a decedent of [Agent.btz](https://attack.mitre.org/software/S0092) and used by [Turla](https://attack.mitre.org/groups/G0010). (Citation: Symantec Waterbug) (Citation: NorthSec 2015 GData Uroburos Tools)",
"meta": {
"external_id": "S0126",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0126",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf",
"https://www.nsec.io/wp-content/uploads/2015/05/uroburos-actors-tools-1.1.pdf"
],
"synonyms": [
"ComRAT"
]
},
"related": [
{
"dest-uuid": "9223bf17-7e32-4833-9574-9ffd8c929765",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "da079741-05e6-458c-b434-011263dc691c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565",
"value": "ComRAT - S0126"
},
{
"description": "[POORAIM](https://attack.mitre.org/software/S0216) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067) in campaigns since at least 2014. (Citation: FireEye APT37 Feb 2018)",
"meta": {
"external_id": "S0216",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0216",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
],
"synonyms": [
"POORAIM"
]
},
"related": [
{
"dest-uuid": "fe97ace3-9a80-42af-9eae-1f9245927e5d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "53d47b09-09c2-4015-8d37-6633ecd53f79",
"value": "POORAIM - S0216"
},
{
"description": "[Catchamas](https://attack.mitre.org/software/S0261) is a Windows Trojan that steals information from compromised systems. (Citation: Symantec Catchamas April 2018)",
"meta": {
"external_id": "S0261",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0261",
"https://www-west.symantec.com/content/symantec/english/en/security-center/writeup.html/2018-040209-1742-99"
],
"synonyms": [
"Catchamas"
]
},
"related": [
{
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "8d9e758b-735f-4cbc-ba7c-32cd15138b2a",
"value": "Catchamas - S0261"
},
{
"description": "[Komplex](https://attack.mitre.org/software/S0162) is a backdoor that has been used by [APT28](https://attack.mitre.org/groups/G0007) on OS X and appears to be developed in a similar manner to [XAgentOSX](https://attack.mitre.org/software/S0161) (Citation: XAgentOSX 2017) (Citation: Sofacy Komplex Trojan).",
"meta": {
"external_id": "S0162",
"mitre_platforms": [
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0162",
"https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/",
"https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/"
],
"synonyms": [
"Komplex"
]
},
"related": [
{
"dest-uuid": "75c79f95-4c84-4650-9158-510f0ce4831d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dd901512-6e37-4155-943b-453e3777b125",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "f108215f-3487-489d-be8b-80e346d32518",
"value": "Komplex - S0162"
},
{
"description": "[BBSRAT](https://attack.mitre.org/software/S0127) is malware with remote access tool functionality that has been used in targeted compromises. (Citation: Palo Alto Networks BBSRAT)",
"meta": {
"external_id": "S0127",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0127",
"http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/"
],
"synonyms": [
"BBSRAT"
]
},
"related": [
{
"dest-uuid": "cad1d6db-3a6c-4d67-8f6e-627d8a168d6a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80",
"value": "BBSRAT - S0127"
},
{
"description": "[KEYMARBLE](https://attack.mitre.org/software/S0271) is a Trojan that has reportedly been used by the North Korean government. (Citation: US-CERT KEYMARBLE Aug 2018)",
"meta": {
"external_id": "S0271",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0271",
"https://www.us-cert.gov/ncas/analysis-reports/AR18-221A"
],
"synonyms": [
"KEYMARBLE"
]
},
"related": [
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "11e36d5b-6a92-4bf9-8eb7-85eb24f59e22",
"value": "KEYMARBLE - S0271"
},
{
"description": "[SHUTTERSPEED](https://attack.mitre.org/software/S0217) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)",
"meta": {
"external_id": "S0217",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0217",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
],
"synonyms": [
"SHUTTERSPEED"
]
},
"related": [
{
"dest-uuid": "d909efe3-abc3-4be0-9640-e4727542fa2b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "4189a679-72ed-4a89-a57c-7f689712ecf8",
"value": "SHUTTERSPEED - S0217"
},
{
"description": "[Reaver](https://attack.mitre.org/software/S0172) is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the \"Five Poisons,\" which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of [Control Panel Items](https://attack.mitre.org/techniques/T1196). (Citation: Palo Alto Reaver Nov 2017)",
"meta": {
"external_id": "S0172",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0172",
"https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/"
],
"synonyms": [
"Reaver"
]
},
"related": [
{
"dest-uuid": "826c31ca-2617-47e4-b236-205da3881182",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8df54627-376c-487c-a09c-7d2b5620f56e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29",
"value": "Reaver - S0172"
},
{
"description": "[BADNEWS](https://attack.mitre.org/software/S0128) is malware that has been used by the actors responsible for the [Patchwork](https://attack.mitre.org/groups/G0040) campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. (Citation: Forcepoint Monsoon) (Citation: TrendMicro Patchwork Dec 2017)",
"meta": {
"external_id": "S0128",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0128",
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf",
"https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf"
],
"synonyms": [
"BADNEWS"
]
},
"related": [
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "e9595678-d269-469e-ae6b-75e49259de63",
"value": "BADNEWS - S0128"
},
{
"description": "[SLOWDRIFT](https://attack.mitre.org/software/S0218) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067) against academic and strategic victims in South Korea. (Citation: FireEye APT37 Feb 2018)",
"meta": {
"external_id": "S0218",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0218",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
],
"synonyms": [
"SLOWDRIFT"
]
},
"related": [
{
"dest-uuid": "e5a9a2ec-348e-4a2f-98dd-16c3e8845576",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "414dc555-c79e-4b24-a2da-9b607f7eaf16",
"value": "SLOWDRIFT - S0218"
},
{
"description": "[Dok](https://attack.mitre.org/software/S0281) steals banking information through man-in-the-middle (Citation: objsee mac malware 2017).",
"meta": {
"external_id": "S0281",
"mitre_platforms": [
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0281",
"https://objective-see.com/blog/blog_0x25.html"
],
"synonyms": [
"Dok",
"Retefe"
]
},
"related": [
{
"dest-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dd901512-6e37-4155-943b-453e3777b125",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "5ad95aaa-49c1-4784-821d-2e83f47b079b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "f36b2598-515f-4345-84e5-5ccde253edbe",
"value": "Dok - S0281"
},
{
"description": "[FinFisher](https://attack.mitre.org/software/S0182) is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including [Wingbird](https://attack.mitre.org/software/S0176). (Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017) (Citation: Microsoft FinFisher March 2018)",
"meta": {
"external_id": "S0182",
"mitre_platforms": [
"Windows",
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0182",
"http://www.finfisher.com/FinFisher/index.html",
"http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf",
"https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html",
"https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/",
"https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/"
],
"synonyms": [
"FinFisher",
"FinSpy"
]
},
"related": [
{
"dest-uuid": "541b64bc-87ec-4cc2-aaee-329355987853",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "46944654-fcc1-4f63-9dad-628102376586",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "519630c5-f03f-4882-825c-3af924935817",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3911658a-6506-4deb-9ab4-595a51ae71ad",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858",
"value": "FinFisher - S0182"
},
{
"description": "[WINERACK](https://attack.mitre.org/software/S0219) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)",
"meta": {
"external_id": "S0219",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0219",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
],
"synonyms": [
"WINERACK"
]
},
"related": [
{
"dest-uuid": "49025073-4cd3-43b8-b893-e80a1d3adc04",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "49abab73-3c5c-476e-afd5-69b5c732d845",
"value": "WINERACK - S0219"
},
{
"description": "[PJApps](https://attack.mitre.org/software/S0291) is an Android malware family. (Citation: Lookout-EnterpriseApps)",
"meta": {
"external_id": "S0291",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0291",
"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
],
"synonyms": [
"PJApps"
]
},
"related": [
{
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c709da93-20c3-4d17-ab68-48cba76b2137",
"value": "PJApps - S0291"
},
{
"description": "[RuMMS](https://attack.mitre.org/software/S0313) is an Android malware family. (Citation: FireEye-RuMMS)",
"meta": {
"external_id": "S0313",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0313",
"https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
],
"synonyms": [
"RuMMS"
]
},
"related": [
{
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "936be60d-90eb-4c36-9247-4b31128432c4",
"value": "RuMMS - S0313"
},
{
"description": "[Downdelph](https://attack.mitre.org/software/S0134) is a first-stage downloader written in Delphi that has been used by [APT28](https://attack.mitre.org/groups/G0007) in rare instances between 2013 and 2015. (Citation: ESET Sednit Part 3)",
"meta": {
"external_id": "S0134",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0134",
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf"
],
"synonyms": [
"Downdelph",
"Delphacy"
]
},
"related": [
{
"dest-uuid": "837a295c-15ff-41c0-9b7e-5f2fb502b00a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "e6a077cb-42cc-4193-9006-9ceda8c0dff2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "46944654-fcc1-4f63-9dad-628102376586",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519",
"value": "Downdelph - S0134"
},
{
"description": "Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. (Citation: Kaspersky Flame)",
"meta": {
"external_id": "S0143",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0143",
"https://securelist.com/the-flame-questions-and-answers-51/34344/",
"https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache",
"https://www.crysys.hu/publications/files/skywiper.pdf"
],
"synonyms": [
"Flame",
"Flamer",
"sKyWIper"
]
},
"related": [
{
"dest-uuid": "d7963066-62ed-4494-9b8c-4b8b691a7c82",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498",
"value": "Flame - S0143"
},
{
"description": "[Xbash](https://attack.mitre.org/software/S0341) is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. [Xbash](https://attack.mitre.org/software/S0341) was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.(Citation: Unit42 Xbash Sept 2018)",
"meta": {
"external_id": "S0341",
"mitre_platforms": [
"Windows",
"Linux"
],
"refs": [
"https://attack.mitre.org/software/S0341",
"https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/"
],
"synonyms": [
"Xbash"
]
},
"related": [
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "6a92d80f-cc65-45f6-aa66-3cdea6786b3c",
"value": "Xbash - S0341"
},
{
"description": "[Final1stspy](https://attack.mitre.org/software/S0355) is a dropper family that has been used to deliver [DOGCALL](https://attack.mitre.org/software/S0213).(Citation: Unit 42 Nokki Oct 2018)",
"meta": {
"external_id": "S0355",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0355",
"https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/"
],
"synonyms": [
"Final1stspy"
]
},
"related": [
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "a2282af0-f9dd-4373-9b92-eaf9e11e0c71",
"value": "Final1stspy - S0355"
},
{
"description": "[Cannon](https://attack.mitre.org/software/S0351) is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. (Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)",
"meta": {
"external_id": "S0351",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0351",
"https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/",
"https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/"
],
"synonyms": [
"Cannon"
]
},
"related": [
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "d20b397a-ea47-48a9-b503-2e2a3551e11d",
"value": "Cannon - S0351"
},
{
"description": "[HIDEDRV](https://attack.mitre.org/software/S0135) is a rootkit used by [APT28](https://attack.mitre.org/groups/G0007). It has been deployed along with [Downdelph](https://attack.mitre.org/software/S0134) to execute and hide that malware. (Citation: ESET Sednit Part 3) (Citation: Sekoia HideDRV Oct 2016)",
"meta": {
"external_id": "S0135",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0135",
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf",
"http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf"
],
"synonyms": [
"HIDEDRV"
]
},
"related": [
{
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4",
"value": "HIDEDRV - S0135"
},
{
"description": "[DualToy](https://attack.mitre.org/software/S0315) is Windows malware that installs malicious applications onto Android and iOS devices connected over USB. (Citation: PaloAlto-DualToy)",
"meta": {
"external_id": "S0315",
"mitre_platforms": [
"Android",
"iOS"
],
"refs": [
"https://attack.mitre.org/software/S0315",
"https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/"
],
"synonyms": [
"DualToy"
]
},
"related": [
{
"dest-uuid": "8269e779-db23-4c94-aafb-36ee94879417",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "507fe748-5e4a-4b45-9e9f-8b1115f4e878",
"value": "DualToy - S0315"
},
{
"description": "[RedLeaves](https://attack.mitre.org/software/S0153) is a malware family used by [menuPass](https://attack.mitre.org/groups/G0045). The code overlaps with [PlugX](https://attack.mitre.org/software/S0013) and may be based upon the open source tool Trochilus. (Citation: PWC Cloud Hopper Technical Annex April 2017) (Citation: FireEye APT10 April 2017)",
"meta": {
"external_id": "S0153",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0153",
"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
"https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html",
"https://twitter.com/ItsReallyNick/status/850105140589633536"
],
"synonyms": [
"RedLeaves",
"BUGJUICE"
]
},
"related": [
{
"dest-uuid": "ad6a1b4a-6d79-40d4-adb7-1d7ca697347e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "90124cc8-1205-4e63-83ad-5c45a110b1e6",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3df08e23-1d0b-41ed-b735-c4eca46ce48e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a70e93a7-3578-47e1-9926-0818979ed866",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "46944654-fcc1-4f63-9dad-628102376586",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
"value": "RedLeaves - S0153"
},
{
"description": "[USBStealer](https://attack.mitre.org/software/S0136) is malware that has used by [APT28](https://attack.mitre.org/groups/G0007) since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with [ADVSTORESHELL](https://attack.mitre.org/software/S0045). (Citation: ESET Sednit USBStealer 2014) (Citation: Kaspersky Sofacy)",
"meta": {
"external_id": "S0136",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0136",
"http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/",
"https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/"
],
"synonyms": [
"USBStealer",
"USB Stealer",
"Win32/USBStealer"
]
},
"related": [
{
"dest-uuid": "44909efb-7cd3-42e3-b225-9f3e96b5f362",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6415f09-df0e-48de-9aba-928c902b7549",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb",
"value": "USBStealer - S0136"
},
{
"description": "[Janicab](https://attack.mitre.org/software/S0163) is an OS X trojan that relied on a valid developer ID and oblivious users to install it. (Citation: Janicab)",
"meta": {
"external_id": "S0163",
"mitre_platforms": [
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0163",
"http://www.thesafemac.com/new-signed-malware-called-janicab/"
],
"synonyms": [
"Janicab"
]
},
"related": [
{
"dest-uuid": "c3c20c4b-e12a-42e5-960a-eea4644014f4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "4af4e96f-c92d-4a45-9958-a88ad8deb38d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "234e7770-99b0-4f65-b983-d3230f76a60b",
"value": "Janicab - S0163"
},
{
"description": "[CORESHELL](https://attack.mitre.org/software/S0137) is a downloader used by [APT28](https://attack.mitre.org/groups/G0007). The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.(Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)",
"meta": {
"external_id": "S0137",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0137",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf",
"https://securelist.com/a-slice-of-2017-sofacy-activity/83930/"
],
"synonyms": [
"CORESHELL",
"Sofacy",
"SOURFACE"
]
},
"related": [
{
"dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "519630c5-f03f-4882-825c-3af924935817",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "60c18d06-7b91-4742-bae3-647845cd9d81",
"value": "CORESHELL - S0137"
},
{
"description": "[FLIPSIDE](https://attack.mitre.org/software/S0173) is a simple tool similar to Plink that is used by [FIN5](https://attack.mitre.org/groups/G0053) to maintain access to victims. (Citation: Mandiant FIN5 GrrCON Oct 2016)",
"meta": {
"external_id": "S0173",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0173",
"https://www.youtube.com/watch?v=fevGZs0EQu8"
],
"synonyms": [
"FLIPSIDE"
]
},
"related": [
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "0e18b800-906c-4e44-a143-b11c72b3448b",
"value": "FLIPSIDE - S0173"
},
{
"description": "[POWERTON](https://attack.mitre.org/software/S0371) is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a late-stage backdoor by [APT33](https://attack.mitre.org/groups/G0064). At least two variants of the backdoor have been identified, with the later version containing improved functionality.(Citation: FireEye APT33 Guardrail)",
"meta": {
"external_id": "S0371",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0371",
"https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html"
],
"synonyms": [
"POWERTON"
]
},
"related": [
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "e85cae1a-bce3-4ac4-b36b-b00acac0567b",
"value": "POWERTON - S0371"
},
{
"description": "[Marcher](https://attack.mitre.org/software/S0317) is Android malware that is used for financial fraud. (Citation: Proofpoint-Marcher)",
"meta": {
"external_id": "S0317",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0317",
"https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks"
],
"synonyms": [
"Marcher"
]
},
"related": [
{
"dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "f9854ba6-989d-43bf-828b-7240b8a65291",
"value": "Marcher - S0317"
},
{
"description": "[OLDBAIT](https://attack.mitre.org/software/S0138) is a credential harvester used by [APT28](https://attack.mitre.org/groups/G0007). (Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)",
"meta": {
"external_id": "S0138",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0138",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
],
"synonyms": [
"OLDBAIT",
"Sasfis"
]
},
"related": [
{
"dest-uuid": "6d1e2736-d363-49aa-9054-9c9e4ac0c520",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be",
"value": "OLDBAIT - S0138"
},
{
"description": "[FlawedAmmyy](https://attack.mitre.org/software/S0381) is a remote access tool (RAT) that was first seen in early 2016. The code for [FlawedAmmyy](https://attack.mitre.org/software/S0381) was based on leaked source code for a version of Ammyy Admin, a remote access software.(Citation: Proofpoint TA505 Mar 2018)",
"meta": {
"external_id": "S0381",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0381",
"https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware"
],
"synonyms": [
"FlawedAmmyy"
]
},
"related": [
{
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "432555de-63bf-4f2a-a3fa-f720a4561078",
"value": "FlawedAmmyy - S0381"
},
{
"description": "[XLoader](https://attack.mitre.org/software/S0318) is a malicious Android app that was observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. (Citation: TrendMicro-XLoader)",
"meta": {
"external_id": "S0318",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0318",
"https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"
],
"synonyms": [
"XLoader"
]
},
"related": [
{
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "2740eaf6-2db2-4a40-a63f-f5b166c7059c",
"value": "XLoader - S0318"
},
{
"description": "[HAWKBALL](https://attack.mitre.org/software/S0391) is a backdoor that was observed in targeting of the government sector in Central Asia.(Citation: FireEye HAWKBALL Jun 2019)",
"meta": {
"external_id": "S0391",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0391",
"https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html"
],
"synonyms": [
"HAWKBALL"
]
},
"related": [
{
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "12a7450d-b03e-4990-a5b8-b405ab9c803b",
"value": "HAWKBALL - S0391"
},
{
"description": "[Allwinner](https://attack.mitre.org/software/S0319) is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) for use on these devices reportedly contained a backdoor. (Citation: HackerNews-Allwinner)",
"meta": {
"external_id": "S0319",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0319",
"https://thehackernews.com/2016/05/android-kernal-exploit.html"
],
"synonyms": [
"Allwinner"
]
},
"related": [
{
"dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "08784a9d-09e9-4dce-a839-9612398214e8",
"value": "Allwinner - S0319"
},
{
"description": "[PowerDuke](https://attack.mitre.org/software/S0139) is a backdoor that was used by [APT29](https://attack.mitre.org/groups/G0016) in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros. (Citation: Volexity PowerDuke November 2016)",
"meta": {
"external_id": "S0139",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0139",
"https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/"
],
"synonyms": [
"PowerDuke"
]
},
"related": [
{
"dest-uuid": "c79f5876-e3b9-417a-8eaf-8f1b01a0fecd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a",
"value": "PowerDuke - S0139"
},
{
"description": "[ChChes](https://attack.mitre.org/software/S0144) is a Trojan that appears to be used exclusively by [menuPass](https://attack.mitre.org/groups/G0045). It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. (Citation: Palo Alto menuPass Feb 2017) (Citation: JPCERT ChChes Feb 2017) (Citation: PWC Cloud Hopper Technical Annex April 2017)",
"meta": {
"external_id": "S0144",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0144",
"http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/",
"http://blog.jpcert.or.jp/2017/02/chches-malware--93d6.html",
"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
"https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html",
"https://twitter.com/ItsReallyNick/status/850105140589633536"
],
"synonyms": [
"ChChes",
"Scorpion",
"HAYMAKER"
]
},
"related": [
{
"dest-uuid": "d71604d2-a17e-4b4e-82be-19cb54f93161",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "6eee9bf9-ffce-4c88-a5ad-9d80f6fc727c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e",
"value": "ChChes - S0144"
},
{
"description": "[POWERSOURCE](https://attack.mitre.org/software/S0145) is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. (Citation: FireEye FIN7 March 2017) (Citation: Cisco DNSMessenger March 2017)",
"meta": {
"external_id": "S0145",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0145",
"https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html",
"http://blog.talosintelligence.com/2017/03/dnsmessenger.html"
],
"synonyms": [
"POWERSOURCE",
"DNSMessenger"
]
},
"related": [
{
"dest-uuid": "ee8ccb36-2596-43a3-a044-b8721dbeb2ab",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351",
"value": "POWERSOURCE - S0145"
},
{
"description": "[TEXTMATE](https://attack.mitre.org/software/S0146) is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with [POWERSOURCE](https://attack.mitre.org/software/S0145) in February 2017. (Citation: FireEye FIN7 March 2017)",
"meta": {
"external_id": "S0146",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0146",
"https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html",
"http://blog.talosintelligence.com/2017/03/dnsmessenger.html"
],
"synonyms": [
"TEXTMATE",
"DNSMessenger"
]
},
"related": [
{
"dest-uuid": "ee8ccb36-2596-43a3-a044-b8721dbeb2ab",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47",
"value": "TEXTMATE - S0146"
},
{
"description": "[TDTESS](https://attack.mitre.org/software/S0164) is a 64-bit .NET binary backdoor used by [CopyKittens](https://attack.mitre.org/groups/G0052). (Citation: ClearSky Wilted Tulip July 2017)",
"meta": {
"external_id": "S0164",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0164",
"http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf"
],
"synonyms": [
"TDTESS"
]
},
"related": [
{
"dest-uuid": "99d83ee8-6870-4af2-a3c8-cf86baff7cb3",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a",
"value": "TDTESS - S0164"
},
{
"description": "[Pteranodon](https://attack.mitre.org/software/S0147) is a custom backdoor used by [Gamaredon Group](https://attack.mitre.org/groups/G0047). (Citation: Palo Alto Gamaredon Feb 2017)",
"meta": {
"external_id": "S0147",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0147",
"https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
],
"synonyms": [
"Pteranodon"
]
},
"related": [
{
"dest-uuid": "d5138738-846e-4466-830c-cd2bb6ad09cf",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd",
"value": "Pteranodon - S0147"
},
{
"description": "[POWRUNER](https://attack.mitre.org/software/S0184) is a PowerShell script that sends and receives commands to and from the C2 server. (Citation: FireEye APT34 Dec 2017)",
"meta": {
"external_id": "S0184",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0184",
"https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
],
"synonyms": [
"POWRUNER"
]
},
"related": [
{
"dest-uuid": "63f6df51-4de3-495a-864f-0a7e30c3b419",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46",
"value": "POWRUNER - S0184"
},
{
"description": "[RTM](https://attack.mitre.org/software/S0148) is custom malware written in Delphi. It is used by the group of the same name ([RTM](https://attack.mitre.org/groups/G0048)). (Citation: ESET RTM Feb 2017)",
"meta": {
"external_id": "S0148",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0148",
"https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
],
"synonyms": [
"RTM"
]
},
"related": [
{
"dest-uuid": "e6952b4d-e96d-4641-a88f-60074776d553",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"value": "RTM - S0148"
},
{
"description": "[MoonWind](https://attack.mitre.org/software/S0149) is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. (Citation: Palo Alto MoonWind March 2017)",
"meta": {
"external_id": "S0149",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0149",
"http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/"
],
"synonyms": [
"MoonWind"
]
},
"related": [
{
"dest-uuid": "f266754c-d0aa-4918-95a3-73b28eaa66e3",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "76ec1827-68a1-488f-9899-2b788ea8db64",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "8465177f-16c8-47fc-a4c8-f4c0409fe460",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
"value": "MoonWind - S0149"
},
{
"description": "[WINDSHIELD](https://attack.mitre.org/software/S0155) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)",
"meta": {
"external_id": "S0155",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0155",
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
],
"synonyms": [
"WINDSHIELD"
]
},
"related": [
{
"dest-uuid": "a89ed72c-202d-486b-9349-6ffc0a61e30a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c",
"value": "WINDSHIELD - S0155"
},
{
"description": "[KOMPROGO](https://attack.mitre.org/software/S0156) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050) that is capable of process, file, and registry management. (Citation: FireEye APT32 May 2017)",
"meta": {
"external_id": "S0156",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0156",
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
],
"synonyms": [
"KOMPROGO"
]
},
"related": [
{
"dest-uuid": "321e2bd3-2d98-41d6-8402-3949f514c548",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a",
"value": "KOMPROGO - S0156"
},
{
"description": "[OSInfo](https://attack.mitre.org/software/S0165) is a custom tool used by [APT3](https://attack.mitre.org/groups/G0022) to do internal discovery on a victim's computer and network. (Citation: Symantec Buckeye)",
"meta": {
"external_id": "S0165",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0165",
"http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong"
],
"synonyms": [
"OSInfo"
]
},
"related": [
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8",
"value": "OSInfo - S0165"
},
{
"description": "[SOUNDBITE](https://attack.mitre.org/software/S0157) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)",
"meta": {
"external_id": "S0157",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0157",
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
],
"synonyms": [
"SOUNDBITE"
]
},
"related": [
{
"dest-uuid": "f5ac89a7-e129-43b7-bd68-e3cb1e5a3ba2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f4cac204-3d3f-4bb6-84bd-fc27b2f5158c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "9ca488bd-9587-48ef-b923-1743523e63b2",
"value": "SOUNDBITE - S0157"
},
{
"description": "[SEASHARPEE](https://attack.mitre.org/software/S0185) is a Web shell that has been used by [APT34](https://attack.mitre.org/groups/G0057). (Citation: FireEye APT34 Webinar Dec 2017)",
"meta": {
"external_id": "S0185",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0185",
"https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east"
],
"synonyms": [
"SEASHARPEE"
]
},
"related": [
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "0998045d-f96e-4284-95ce-3c8219707486",
"value": "SEASHARPEE - S0185"
},
{
"description": "[PHOREAL](https://attack.mitre.org/software/S0158) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)",
"meta": {
"external_id": "S0158",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0158",
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
],
"synonyms": [
"PHOREAL"
]
},
"related": [
{
"dest-uuid": "f9c6da03-8cb1-4383-9d52-a614c42082bf",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e",
"value": "PHOREAL - S0158"
},
{
"description": "[SNUGRIDE](https://attack.mitre.org/software/S0159) is a backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045) as first stage malware. (Citation: FireEye APT10 April 2017)",
"meta": {
"external_id": "S0159",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0159",
"https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html"
],
"synonyms": [
"SNUGRIDE"
]
},
"related": [
{
"dest-uuid": "6a42aa10-5b7e-43b0-8c58-414cdaeda453",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "12b524b9-0d94-400f-904f-615f4f764aaf",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870",
"value": "SNUGRIDE - S0159"
},
{
"description": "[RemoteCMD](https://attack.mitre.org/software/S0166) is a custom tool used by [APT3](https://attack.mitre.org/groups/G0022) to execute commands on a remote system similar to SysInternal's PSEXEC functionality. (Citation: Symantec Buckeye)",
"meta": {
"external_id": "S0166",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0166",
"http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong"
],
"synonyms": [
"RemoteCMD"
]
},
"related": [
{
"dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26",
"value": "RemoteCMD - S0166"
},
{
"description": "[Matroyshka](https://attack.mitre.org/software/S0167) is a malware framework used by [CopyKittens](https://attack.mitre.org/groups/G0052) that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015)",
"meta": {
"external_id": "S0167",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0167",
"http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf",
"https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf"
],
"synonyms": [
"Matroyshka"
]
},
"related": [
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458",
"value": "Matroyshka - S0167"
},
{
"description": "[Wingbird](https://attack.mitre.org/software/S0176) is a backdoor that appears to be a version of commercial software [FinFisher](https://attack.mitre.org/software/S0182). It is reportedly used to attack individual computers instead of networks. It was used by [NEODYMIUM](https://attack.mitre.org/groups/G0055) in a May 2016 campaign. (Citation: Microsoft SIR Vol 21) (Citation: Microsoft NEODYMIUM Dec 2016)",
"meta": {
"external_id": "S0176",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0176",
"http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf",
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
"https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Wingbird.A!dha"
],
"synonyms": [
"Wingbird"
]
},
"related": [
{
"dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654",
"value": "Wingbird - S0176"
},
{
"description": "[DownPaper](https://attack.mitre.org/software/S0186) is a backdoor Trojan; its main functionality is to download and run second stage malware. (Citation: ClearSky Charming Kitten Dec 2017)",
"meta": {
"external_id": "S0186",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0186",
"http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf"
],
"synonyms": [
"DownPaper"
]
},
"related": [
{
"dest-uuid": "227862fd-ae83-4e3d-bb69-cc1a45a13aed",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148",
"value": "DownPaper - S0186"
},
{
"description": "[Gazer](https://attack.mitre.org/software/S0168) is a backdoor used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2016. (Citation: ESET Gazer Aug 2017)",
"meta": {
"external_id": "S0168",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0168",
"https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf",
"https://securelist.com/introducing-whitebear/81638/"
],
"synonyms": [
"Gazer",
"WhiteBear"
]
},
"related": [
{
"dest-uuid": "0a3047b3-6a38-48ff-8f9c-49a5c28e3ada",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "76abb3ef-dafd-4762-97cb-a35379429db4",
"value": "Gazer - S0168"
},
{
"description": "[PUNCHBUGGY](https://attack.mitre.org/software/S0196) is a backdoor malware used by [FIN8](https://attack.mitre.org/groups/G0061) that has been observed targeting POS networks in the hospitality industry. (Citation: Morphisec ShellTea June 2019)(Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)",
"meta": {
"external_id": "S0196",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0196",
"http://blog.morphisec.com/security-alert-fin8-is-back",
"https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html",
"https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html"
],
"synonyms": [
"PUNCHBUGGY",
"ShellTea"
]
},
"related": [
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4bf5845d-a814-4490-bc5c-ccdee6043025",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c",
"value": "PUNCHBUGGY - S0196"
},
{
"description": "[RawPOS](https://attack.mitre.org/software/S0169) is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008. (Citation: Kroll RawPOS Jan 2017) (Citation: TrendMicro RawPOS April 2015) (Citation: Visa RawPOS March 2015) FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD. (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)",
"meta": {
"external_id": "S0169",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0169",
"http://www.kroll.com/CMSPages/GetAzureFile.aspx?path=~%5Cmedia%5Cfiles%5Cintelligence-center%5Ckroll_malware-analysis-report.pdf&hash=d5b5d2697118f30374b954f28a08c0ba69836c0ffd99566aa7ec62d1fc72b105",
"http://sjc1-te-ftp.trendmicro.com/images/tex/pdf/RawPOS%20Technical%20Brief.pdf",
"https://www.youtube.com/watch?v=fevGZs0EQu8",
"https://github.com/DiabloHorn/mempdump",
"https://usa.visa.com/dam/VCOM/download/merchants/alert-rawpos.pdf",
"https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?"
],
"synonyms": [
"RawPOS",
"FIENDCRY",
"DUEBREW",
"DRIFTWOOD"
]
},
"related": [
{
"dest-uuid": "80f87001-ff40-4e33-bd12-12ed1a92d1d7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "9752aef4-a1f3-4328-929f-b64eb0536090",
"value": "RawPOS - S0169"
},
{
"description": "[Daserf](https://attack.mitre.org/software/S0187) is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. (Citation: Trend Micro Daserf Nov 2017) (Citation: Secureworks BRONZE BUTLER Oct 2017)",
"meta": {
"external_id": "S0187",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0187",
"http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/",
"https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
],
"synonyms": [
"Daserf",
"Muirim",
"Nioupale"
]
},
"related": [
{
"dest-uuid": "70f6c71f-bc0c-4889-86e3-ef04e5b8415b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a",
"value": "Daserf - S0187"
},
{
"description": "[Truvasys](https://attack.mitre.org/software/S0178) is first-stage malware that has been used by [PROMETHIUM](https://attack.mitre.org/groups/G0056). It is a collection of modules written in the Delphi programming language. (Citation: Microsoft Win Defender Truvasys Sep 2017) (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)",
"meta": {
"external_id": "S0178",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0178",
"https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Truvasys.A!dha",
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
"http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf"
],
"synonyms": [
"Truvasys"
]
},
"related": [
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad",
"value": "Truvasys - S0178"
},
{
"description": "[PUNCHTRACK](https://attack.mitre.org/software/S0197) is non-persistent point of sale (POS) system malware utilized by [FIN8](https://attack.mitre.org/groups/G0061) to scrape payment card data. (Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)",
"meta": {
"external_id": "S0197",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0197",
"https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html",
"https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html"
],
"synonyms": [
"PUNCHTRACK",
"PSVC"
]
},
"related": [
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c4de7d83-e875-4c88-8b5d-06c41e5b7e79",
"value": "PUNCHTRACK - S0197"
},
{
"description": "[Starloader](https://attack.mitre.org/software/S0188) is a loader component that has been observed loading [Felismus](https://attack.mitre.org/software/S0171) and associated tools. (Citation: Symantec Sowbug Nov 2017)",
"meta": {
"external_id": "S0188",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0188",
"https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments"
],
"synonyms": [
"Starloader"
]
},
"related": [
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4",
"value": "Starloader - S0188"
},
{
"description": "[NETWIRE](https://attack.mitre.org/software/S0198) is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012. (Citation: FireEye APT33 Sept 2017) (Citation: McAfee Netwire Mar 2015) (Citation: FireEye APT33 Webinar Sept 2017)",
"meta": {
"external_id": "S0198",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0198",
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
"https://securingtomorrow.mcafee.com/mcafee-labs/netwire-rat-behind-recent-targeted-attacks/",
"https://www.brighttalk.com/webcast/10703/275683"
],
"synonyms": [
"NETWIRE"
]
},
"related": [
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "2a70812b-f1ef-44db-8578-a496a227aef2",
"value": "NETWIRE - S0198"
},
{
"description": "[ISMInjector](https://attack.mitre.org/software/S0189) is a Trojan used to install another [OilRig](https://attack.mitre.org/groups/G0049) backdoor, ISMAgent. (Citation: OilRig New Delivery Oct 2017)",
"meta": {
"external_id": "S0189",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0189",
"https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/"
],
"synonyms": [
"ISMInjector"
]
},
"related": [
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324",
"value": "ISMInjector - S0189"
},
{
"description": "[TURNEDUP](https://attack.mitre.org/software/S0199) is a non-public backdoor. It has been dropped by [APT33](https://attack.mitre.org/groups/G0064)'s [StoneDrill](https://attack.mitre.org/software/S0380) malware. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)",
"meta": {
"external_id": "S0199",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0199",
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
"https://www.brighttalk.com/webcast/10703/275683"
],
"synonyms": [
"TURNEDUP"
]
},
"related": [
{
"dest-uuid": "fab34d66-5668-460a-bc0f-250b9417cdbf",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c",
"value": "TURNEDUP - S0199"
},
{
"description": "[CCBkdr](https://attack.mitre.org/software/S0222) is malware that was injected into a signed version of CCleaner and distributed from CCleaner's distribution website. (Citation: Talos CCleanup 2017) (Citation: Intezer Aurora Sept 2017)",
"meta": {
"external_id": "S0222",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0222",
"http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html",
"http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/"
],
"synonyms": [
"CCBkdr"
]
},
"related": [
{
"dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "54456690-84de-4538-9101-643e26437e09",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b0f13390-cec7-4814-b37c-ccec01887faa",
"value": "CCBkdr - S0222"
},
{
"description": "[POWERSTATS](https://attack.mitre.org/software/S0223) is a PowerShell-based first stage backdoor used by [MuddyWater](https://attack.mitre.org/groups/G0069). (Citation: Unit 42 MuddyWater Nov 2017)",
"meta": {
"external_id": "S0223",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0223",
"https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/",
"https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf",
"https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group"
],
"synonyms": [
"POWERSTATS",
"Powermud"
]
},
"related": [
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "e8545794-b98c-492b-a5b3-4b5a02682e37",
"value": "POWERSTATS - S0223"
},
{
"description": "[HummingBad](https://attack.mitre.org/software/S0322) is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android. (Citation: ArsTechnica-HummingBad)",
"meta": {
"external_id": "S0322",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0322",
"http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"
],
"synonyms": [
"HummingBad"
]
},
"related": [
{
"dest-uuid": "f5cacc72-f02a-42d1-a020-7a59650086bb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c8770c81-c29f-40d2-a140-38544206b2b4",
"value": "HummingBad - S0322"
},
{
"description": "[HOMEFRY](https://attack.mitre.org/software/S0232) is a 64-bit Windows password dumper/cracker that has previously been used in conjunction with other [Leviathan](https://attack.mitre.org/groups/G0065) backdoors. (Citation: FireEye Periscope March 2018)",
"meta": {
"external_id": "S0232",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0232",
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"
],
"synonyms": [
"HOMEFRY"
]
},
"related": [
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "7451bcf9-e6e6-4a70-bc3d-1599173d0035",
"value": "HOMEFRY - S0232"
},
{
"description": "[SynAck](https://attack.mitre.org/software/S0242) is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. (Citation: SecureList SynAck Doppelgänging May 2018) (Citation: Kaspersky Lab SynAck May 2018)",
"meta": {
"external_id": "S0242",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0242",
"https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/",
"https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging"
],
"synonyms": [
"SynAck"
]
},
"related": [
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c1a452f3-6499-4c12-b7e9-a6a0a102af76",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "04227b24-7817-4de1-9050-b7b1b57f5866",
"value": "SynAck - S0242"
},
{
"description": "[NDiskMonitor](https://attack.mitre.org/software/S0272) is a custom backdoor written in .NET that appears to be unique to [Patchwork](https://attack.mitre.org/groups/G0040). (Citation: TrendMicro Patchwork Dec 2017)",
"meta": {
"external_id": "S0272",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0272",
"https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf"
],
"synonyms": [
"NDiskMonitor"
]
},
"related": [
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "d1183cb9-258e-4f2f-8415-50ac8252c49e",
"value": "NDiskMonitor - S0272"
},
{
"description": "[NanHaiShu](https://attack.mitre.org/software/S0228) is a remote access tool and JScript backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065). [NanHaiShu](https://attack.mitre.org/software/S0228) has been used to target government and private-sector organizations that have relations to the South China Sea dispute. (Citation: Proofpoint Leviathan Oct 2017) (Citation: fsecure NanHaiShu July 2016)",
"meta": {
"external_id": "S0228",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0228",
"https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets",
"https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf"
],
"synonyms": [
"NanHaiShu"
]
},
"related": [
{
"dest-uuid": "7abd6950-7a07-4d9e-ade1-62414fa50619",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "705f0783-5f7d-4491-b6b7-9628e6e006d2",
"value": "NanHaiShu - S0228"
},
{
"description": "[MacSpy](https://attack.mitre.org/software/S0282) is a malware-as-a-service offered on the darkweb (Citation: objsee mac malware 2017).",
"meta": {
"external_id": "S0282",
"mitre_platforms": [
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0282",
"https://objective-see.com/blog/blog_0x25.html"
],
"synonyms": [
"MacSpy"
]
},
"related": [
{
"dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dd901512-6e37-4155-943b-453e3777b125",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "f72251cb-2be5-421f-a081-99c29a1209e7",
"value": "MacSpy - S0282"
},
{
"description": "[AndroRAT](https://attack.mitre.org/software/S0292) is malware that allows a third party to control the device and collect information. (Citation: Lookout-EnterpriseApps)",
"meta": {
"external_id": "S0292",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0292",
"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
],
"synonyms": [
"AndroRAT"
]
},
"related": [
{
"dest-uuid": "80447111-8085-40a4-a052-420926091ac6",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93",
"value": "AndroRAT - S0292"
},
{
"description": "[Orz](https://attack.mitre.org/software/S0229) is a custom JavaScript backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065). It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. (Citation: Proofpoint Leviathan Oct 2017) (Citation: FireEye Periscope March 2018)",
"meta": {
"external_id": "S0229",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0229",
"https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets",
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"
],
"synonyms": [
"AIRBREAK",
"Orz"
]
},
"related": [
{
"dest-uuid": "fd419da6-5c0d-461e-96ee-64397efac63b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "06d735e7-1db1-4dbe-ab4b-acbe419f902b",
"value": "Orz - S0229"
},
{
"description": "[Charger](https://attack.mitre.org/software/S0323) is Android malware that steals steals contacts and SMS messages from the user's device. It can also lock the device and demand ransom payment if it receives admin permissions. (Citation: CheckPoint-Charger)",
"meta": {
"external_id": "S0323",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0323",
"http://blog.checkpoint.com/2017/01/24/charger-malware/"
],
"synonyms": [
"Charger"
]
},
"related": [
{
"dest-uuid": "6e0545df-8df6-4990-971c-e96c4c60d561",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "d1c600f8-0fb6-4367-921b-85b71947d950",
"value": "Charger - S0323"
},
{
"description": "[MURKYTOP](https://attack.mitre.org/software/S0233) is a reconnaissance tool used by [Leviathan](https://attack.mitre.org/groups/G0065). (Citation: FireEye Periscope March 2018)",
"meta": {
"external_id": "S0233",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0233",
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"
],
"synonyms": [
"MURKYTOP"
]
},
"related": [
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "049ff071-0b3c-4712-95d2-d21c6aa54501",
"value": "MURKYTOP - S0233"
},
{
"description": "[Bandook](https://attack.mitre.org/software/S0234) is a commercially available RAT, written in Delphi, which has been available since roughly 2007 (Citation: EFF Manul Aug 2016) (Citation: Lookout Dark Caracal Jan 2018).",
"meta": {
"external_id": "S0234",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0234",
"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
"https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf"
],
"synonyms": [
"Bandook"
]
},
"related": [
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "835a79f1-842d-472d-b8f4-d54b545c341b",
"value": "Bandook - S0234"
},
{
"description": "[DealersChoice](https://attack.mitre.org/software/S0243) is a Flash exploitation framework used by [APT28](https://attack.mitre.org/groups/G0007). (Citation: Sofacy DealersChoice)",
"meta": {
"external_id": "S0243",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0243",
"https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/"
],
"synonyms": [
"DealersChoice"
]
},
"related": [
{
"dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "8f460983-1bbb-4e7e-8094-f0b5e720f658",
"value": "DealersChoice - S0243"
},
{
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) is Android malware that exfiltrates sensitive data from Android devices. (Citation: PaloAlto-SpyDealer)",
"meta": {
"external_id": "S0324",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0324",
"https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
],
"synonyms": [
"SpyDealer"
]
},
"related": [
{
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
"value": "SpyDealer - S0324"
},
{
"description": "[GreyEnergy](https://attack.mitre.org/software/S0342) is a backdoor written in C and compiled in Visual Studio. [GreyEnergy](https://attack.mitre.org/software/S0342) shares similarities with the [BlackEnergy](https://attack.mitre.org/software/S0089) malware and is thought to be the successor of it.(Citation: ESET GreyEnergy Oct 2018)",
"meta": {
"external_id": "S0342",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0342",
"https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf"
],
"synonyms": [
"GreyEnergy"
]
},
"related": [
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "308b3d68-a084-4dfb-885a-3125e1a9c1e8",
"value": "GreyEnergy - S0342"
},
{
"description": "[CrossRAT](https://attack.mitre.org/software/S0235) is a cross platform RAT.",
"meta": {
"external_id": "S0235",
"mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0235",
"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
],
"synonyms": [
"CrossRAT"
]
},
"related": [
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dd901512-6e37-4155-943b-453e3777b125",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "a5e91d50-24fa-44ec-9894-39a88f658cea",
"value": "CrossRAT - S0235"
},
{
"description": "[RunningRAT](https://attack.mitre.org/software/S0253) is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Winter Olympics along with [Gold Dragon](https://attack.mitre.org/software/S0249) and [Brave Prince](https://attack.mitre.org/software/S0252). (Citation: McAfee Gold Dragon)",
"meta": {
"external_id": "S0253",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0253",
"https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
],
"synonyms": [
"RunningRAT"
]
},
"related": [
{
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "60d50676-459a-47dd-92e9-a827a9fe9c58",
"value": "RunningRAT - S0253"
},
{
"description": "[Judy](https://attack.mitre.org/software/S0325) is auto-clicking adware that was distributed through multiple apps in the Google Play Store. (Citation: CheckPoint-Judy)",
"meta": {
"external_id": "S0325",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0325",
"https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/"
],
"synonyms": [
"Judy"
]
},
"related": [
{
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "172444ab-97fc-4d94-b142-179452bfb760",
"value": "Judy - S0325"
},
{
"description": "[TYPEFRAME](https://attack.mitre.org/software/S0263) is a remote access tool that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032). (Citation: US-CERT TYPEFRAME June 2018)",
"meta": {
"external_id": "S0263",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0263",
"https://www.us-cert.gov/ncas/analysis-reports/AR18-165A"
],
"synonyms": [
"TYPEFRAME"
]
},
"related": [
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "7ba0fc46-197d-466d-8b9f-f1c64d5d81e5",
"value": "TYPEFRAME - S0263"
},
{
"description": "[RedDrop](https://attack.mitre.org/software/S0326) is an Android malware family that exfiltrates sensitive data from devices. (Citation: Wandera-RedDrop)",
"meta": {
"external_id": "S0326",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0326",
"https://www.wandera.com/reddrop-malware/"
],
"synonyms": [
"RedDrop"
]
},
"related": [
{
"dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "89fcd02f-62dc-40b9-a54b-9ac4b1baef05",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
"value": "RedDrop - S0326"
},
{
"description": "[Kwampirs](https://attack.mitre.org/software/S0236) is a backdoor Trojan used by [Orangeworm](https://attack.mitre.org/groups/G0071). It has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. (Citation: Symantec Orangeworm April 2018)",
"meta": {
"external_id": "S0236",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0236",
"https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia"
],
"synonyms": [
"Kwampirs"
]
},
"related": [
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "519630c5-f03f-4882-825c-3af924935817",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c2417bab-3189-4d4d-9d60-96de2cdaf0ab",
"value": "Kwampirs - S0236"
},
{
"description": "[GravityRAT](https://attack.mitre.org/software/S0237) is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are \"TheMartian\" and \"The Invincible.\" According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India. (Citation: Talos GravityRAT)",
"meta": {
"external_id": "S0237",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0237",
"https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html"
],
"synonyms": [
"GravityRAT"
]
},
"related": [
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "1d1fce2f-0db5-402b-9843-4278a0694637",
"value": "GravityRAT - S0237"
},
{
"description": "[Socksbot](https://attack.mitre.org/software/S0273) is a backdoor that abuses Socket Secure (SOCKS) proxies. (Citation: TrendMicro Patchwork Dec 2017)",
"meta": {
"external_id": "S0273",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0273",
"https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf"
],
"synonyms": [
"Socksbot"
]
},
"related": [
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "e494ad79-37ee-4cd0-866b-299c521d8b94",
"value": "Socksbot - S0273"
},
{
"description": "[Skygofree](https://attack.mitre.org/software/S0327) is Android spyware that is believed to have been developed in 2014 and used through at least 2017. (Citation: Kaspersky-Skygofree)",
"meta": {
"external_id": "S0327",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0327",
"https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"
],
"synonyms": [
"Skygofree"
]
},
"related": [
{
"dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "3a913bac-4fae-4d0e-bca8-cae452f1599b",
"value": "Skygofree - S0327"
},
{
"description": "[jRAT](https://attack.mitre.org/software/S0283) is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of [jRAT](https://attack.mitre.org/software/S0283) have been distributed via a software-as-a-service platform, similar to an online subscription model.(Citation: Kaspersky Adwind Feb 2016) (Citation: jRAT Symantec Aug 2018)",
"meta": {
"external_id": "S0283",
"mitre_platforms": [
"Linux",
"Windows",
"macOS",
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0283",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf",
"https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques",
"https://s3.eu-west-1.amazonaws.com/ncsc-content/files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf"
],
"synonyms": [
"jRAT",
"JSocket",
"AlienSpy",
"Frutas",
"Sockrat",
"Unrecom",
"jFrutas",
"Adwind",
"jBiFrost",
"Trojan.Maljava"
]
},
"related": [
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "efece7e8-e40b-49c2-9f84-c55c5c93d05c",
"value": "jRAT - S0283"
},
{
"description": "[ServHelper](https://attack.mitre.org/software/S0382) is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.(Citation: Proofpoint TA505 Jan 2019)",
"meta": {
"external_id": "S0382",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0382",
"https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505"
],
"synonyms": [
"ServHelper"
]
},
"related": [
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "aae22730-e571-4d17-b037-65f2a3e26213",
"value": "ServHelper - S0382"
},
{
"description": "[Proxysvc](https://attack.mitre.org/software/S0238) is a malicious DLL used by [Lazarus Group](https://attack.mitre.org/groups/G0032) in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of [Proxysvc](https://attack.mitre.org/software/S0238) is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. (Citation: McAfee GhostSecret)",
"meta": {
"external_id": "S0238",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0238",
"https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/"
],
"synonyms": [
"Proxysvc"
]
},
"related": [
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "069af411-9b24-4e85-b26c-623d035bbe84",
"value": "Proxysvc - S0238"
},
{
"description": "[BrainTest](https://attack.mitre.org/software/S0293) is a family of Android malware. (Citation: CheckPoint-BrainTest) (Citation: Lookout-BrainTest)",
"meta": {
"external_id": "S0293",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0293",
"http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/",
"https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
],
"synonyms": [
"BrainTest"
]
},
"related": [
{
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e",
"value": "BrainTest - S0293"
},
{
"description": "[Bankshot](https://attack.mitre.org/software/S0239) is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, [Lazarus Group](https://attack.mitre.org/groups/G0032) used the [Bankshot](https://attack.mitre.org/software/S0239) implant in attacks against the Turkish financial sector. (Citation: McAfee Bankshot)",
"meta": {
"external_id": "S0239",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0239",
"https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/"
],
"synonyms": [
"Bankshot",
"Trojan Manuscript"
]
},
"related": [
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "1f6e3702-7ca1-4582-b2e7-4591297d05a8",
"value": "Bankshot - S0239"
},
{
"description": "[Tangelo](https://attack.mitre.org/software/S0329) is iOS malware that is believed to be from the same developers as the [Stealth Mango](https://attack.mitre.org/software/S0328) Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices. (Citation: Lookout-StealthMango)",
"meta": {
"external_id": "S0329",
"mitre_platforms": [
"iOS"
],
"refs": [
"https://attack.mitre.org/software/S0329",
"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
],
"synonyms": [
"Tangelo"
]
},
"related": [
{
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "35aae10a-97c5-471a-9c67-02c231a7a31a",
"value": "Tangelo - S0329"
},
{
"description": "[Comnie](https://attack.mitre.org/software/S0244) is a remote backdoor which has been used in attacks in East Asia. (Citation: Palo Alto Comnie)",
"meta": {
"external_id": "S0244",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0244",
"https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/"
],
"synonyms": [
"Comnie"
]
},
"related": [
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "519630c5-f03f-4882-825c-3af924935817",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e",
"value": "Comnie - S0244"
},
{
"description": "[BADCALL](https://attack.mitre.org/software/S0245) is a Trojan malware variant used by the group [Lazarus Group](https://attack.mitre.org/groups/G0032). (Citation: US-CERT BADCALL)",
"meta": {
"external_id": "S0245",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0245",
"https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF"
],
"synonyms": [
"BADCALL"
]
},
"related": [
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "9dbdadb6-fdbf-490f-a35f-38762d06a0d2",
"value": "BADCALL - S0245"
},
{
"description": "[PLAINTEE](https://attack.mitre.org/software/S0254) is a malware sample that has been used by [Rancor](https://attack.mitre.org/groups/G0075) in targeted attacks in Singapore and Cambodia. (Citation: Rancor Unit42 June 2018)",
"meta": {
"external_id": "S0254",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0254",
"https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/"
],
"synonyms": [
"PLAINTEE"
]
},
"related": [
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b",
"value": "PLAINTEE - S0254"
},
{
"description": "[HARDRAIN](https://attack.mitre.org/software/S0246) is a Trojan malware variant reportedly used by the North Korean government. (Citation: US-CERT HARDRAIN March 2018)",
"meta": {
"external_id": "S0246",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0246",
"https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf"
],
"synonyms": [
"HARDRAIN"
]
},
"related": [
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "bd0536d7-b081-43ae-a773-cfb057c5b988",
"value": "HARDRAIN - S0246"
},
{
"description": "[OopsIE](https://attack.mitre.org/software/S0264) is a Trojan used by [OilRig](https://attack.mitre.org/groups/G0049) to remotely execute commands as well as upload/download files to/from victims. (Citation: Unit 42 OopsIE! Feb 2018)",
"meta": {
"external_id": "S0264",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0264",
"https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/",
"https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/"
],
"synonyms": [
"OopsIE"
]
},
"related": [
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "8e101fdd-9f7f-4916-bb04-6bd9e94c129c",
"value": "OopsIE - S0264"
},
{
"description": "[NavRAT](https://attack.mitre.org/software/S0247) is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. (Citation: Talos NavRAT May 2018)",
"meta": {
"external_id": "S0247",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0247",
"https://blog.talosintelligence.com/2018/05/navrat.html"
],
"synonyms": [
"NavRAT"
]
},
"related": [
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "53a42597-1974-4b8e-84fd-3675e8992053",
"value": "NavRAT - S0247"
},
{
"description": "[Calisto](https://attack.mitre.org/software/S0274) is a macOS Trojan that opens a backdoor on the compromised machine. [Calisto](https://attack.mitre.org/software/S0274) is believed to have first been developed in 2016. (Citation: Securelist Calisto July 2018) (Citation: Symantec Calisto July 2018)",
"meta": {
"external_id": "S0274",
"mitre_platforms": [
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0274",
"https://securelist.com/calisto-trojan-for-macos/86543/",
"https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days"
],
"synonyms": [
"Calisto"
]
},
"related": [
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dd901512-6e37-4155-943b-453e3777b125",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "53bfc8bf-8f76-4cd7-8958-49a884ddb3ee",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b8fdef82-d2cf-4948-8949-6466357b1be1",
"value": "Calisto - S0274"
},
{
"description": "[More_eggs](https://attack.mitre.org/software/S0284) is a JScript backdoor used by [Cobalt Group](https://attack.mitre.org/groups/G0080). Its name was given based on the variable \"More_eggs\" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. (Citation: Talos Cobalt Group July 2018)",
"meta": {
"external_id": "S0284",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0284",
"https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html"
],
"synonyms": [
"More_eggs"
]
},
"related": [
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "bfd2738c-8b43-43c3-bc9f-d523c8e88bf4",
"value": "More_eggs - S0284"
},
{
"description": "[yty](https://attack.mitre.org/software/S0248) is a modular, plugin-based malware framework. The components of the framework are written in a variety of programming languages. (Citation: ASERT Donot March 2018)",
"meta": {
"external_id": "S0248",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0248",
"https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/"
],
"synonyms": [
"yty"
]
},
"related": [
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "519630c5-f03f-4882-825c-3af924935817",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "0817aaf2-afea-4c32-9285-4dcd1df5bf14",
"value": "yty - S0248"
},
{
"description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is an auto-rooting adware family of malware for Android. The family is very similar to the other Android families known as Shedun, Shuanet, Kemoge, though it is not believed all the families were created by the same group. (Citation: Lookout-Adware)",
"meta": {
"external_id": "S0294",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0294",
"https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"
],
"synonyms": [
"ShiftyBug"
]
},
"related": [
{
"dest-uuid": "0c769e82-df28-4f65-97f5-7f3d88488f2e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c80a6bef-b3ce-44d0-b113-946e93124898",
"value": "ShiftyBug - S0294"
},
{
"description": "[DDKONG](https://attack.mitre.org/software/S0255) is a malware sample that was part of a campaign by [Rancor](https://attack.mitre.org/groups/G0075). [DDKONG](https://attack.mitre.org/software/S0255) was first seen used in February 2017. (Citation: Rancor Unit42 June 2018)",
"meta": {
"external_id": "S0255",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0255",
"https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/"
],
"synonyms": [
"DDKONG"
]
},
"related": [
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb",
"value": "DDKONG - S0255"
},
{
"description": "[Kazuar](https://attack.mitre.org/software/S0265) is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. (Citation: Unit 42 Kazuar May 2017)",
"meta": {
"external_id": "S0265",
"mitre_platforms": [
"Windows",
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0265",
"https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/"
],
"synonyms": [
"Kazuar"
]
},
"related": [
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "536be338-e2ef-4a6b-afb6-8d5568b91eb2",
"value": "Kazuar - S0265"
},
{
"description": "[Mosquito](https://attack.mitre.org/software/S0256) is a Win32 backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010). [Mosquito](https://attack.mitre.org/software/S0256) is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. (Citation: ESET Turla Mosquito Jan 2018)",
"meta": {
"external_id": "S0256",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0256",
"https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
],
"synonyms": [
"Mosquito"
]
},
"related": [
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "92b55426-109f-4d93-899f-1833ce91ff90",
"value": "Mosquito - S0256"
},
{
"description": "[UPPERCUT](https://attack.mitre.org/software/S0275) is a backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045). (Citation: FireEye APT10 Sept 2018)",
"meta": {
"external_id": "S0275",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0275",
"https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html"
],
"synonyms": [
"UPPERCUT",
"ANEL"
]
},
"related": [
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa",
"value": "UPPERCUT - S0275"
},
{
"description": "[VERMIN](https://attack.mitre.org/software/S0257) is a remote access tool written in the Microsoft .NET framework. It is mostly composed of original code, but also has some open source code. (Citation: Unit 42 VERMIN Jan 2018)",
"meta": {
"external_id": "S0257",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0257",
"https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/"
],
"synonyms": [
"VERMIN"
]
},
"related": [
{
"dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "5189f018-fea2-45d7-b0ed-23f9ee0a46f3",
"value": "VERMIN - S0257"
},
{
"description": "[OldBoot](https://attack.mitre.org/software/S0285) is an Android malware family. (Citation: HackerNews-OldBoot)",
"meta": {
"external_id": "S0285",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0285",
"http://thehackernews.com/2014/01/first-widely-distributed-android.html"
],
"synonyms": [
"OldBoot"
]
},
"related": [
{
"dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "2074b2ad-612e-4758-adce-7901c1b49bbc",
"value": "OldBoot - S0285"
},
{
"description": "[RGDoor](https://attack.mitre.org/software/S0258) is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. [RGDoor](https://attack.mitre.org/software/S0258) has been seen deployed on webservers belonging to the Middle East government organizations. [RGDoor](https://attack.mitre.org/software/S0258) provides backdoor access to compromised IIS servers. (Citation: Unit 42 RGDoor Jan 2018)",
"meta": {
"external_id": "S0258",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0258",
"https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/"
],
"synonyms": [
"RGDoor"
]
},
"related": [
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b9eec47e-98f4-4b3c-b574-3fa8a87ebe05",
"value": "RGDoor - S0258"
},
{
"description": "[RCSAndroid](https://attack.mitre.org/software/S0295) is Android malware. (Citation: TrendMicro-RCSAndroid)",
"meta": {
"external_id": "S0295",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0295",
"http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
],
"synonyms": [
"RCSAndroid"
]
},
"related": [
{
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"value": "RCSAndroid - S0295"
},
{
"description": "[InnaputRAT](https://attack.mitre.org/software/S0259) is a remote access tool that can exfiltrate files from a victims machine. [InnaputRAT](https://attack.mitre.org/software/S0259) has been seen out in the wild since 2016. (Citation: ASERT InnaputRAT April 2018)",
"meta": {
"external_id": "S0259",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0259",
"https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/"
],
"synonyms": [
"InnaputRAT"
]
},
"related": [
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c8b6cc43-ce61-42ae-87f3-a5f10526f952",
"value": "InnaputRAT - S0259"
},
{
"description": "[TrickBot](https://attack.mitre.org/software/S0266) is a Trojan spyware program that has mainly been used for targeting banking sites in United States, Canada, UK, Germany, Australia, Austria, Ireland, London, Switzerland, and Scotland. TrickBot first emerged in the wild in September 2016 and appears to be a successor to [Dyre](https://attack.mitre.org/software/S0024). [TrickBot](https://attack.mitre.org/software/S0266) is developed in the C++ programming language. (Citation: S2 Grupo TrickBot June 2017) (Citation: Fidelis TrickBot Oct 2016) (Citation: IBM TrickBot Nov 2016)",
"meta": {
"external_id": "S0266",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0266",
"https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf",
"https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre",
"https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/",
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_trickload.n",
"https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/",
"https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Totbrick"
],
"synonyms": [
"TrickBot",
"Totbrick",
"TSPY_TRICKLOAD"
]
},
"related": [
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "00806466-754d-44ea-ad6f-0caf59cb8556",
"value": "TrickBot - S0266"
},
{
"description": "[FELIXROOT](https://attack.mitre.org/software/S0267) is a backdoor that has been used to target Ukrainian victims. (Citation: FireEye FELIXROOT July 2018)",
"meta": {
"external_id": "S0267",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0267",
"https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html",
"https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf"
],
"synonyms": [
"FELIXROOT",
"GreyEnergy mini"
]
},
"related": [
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "cf8df906-179c-4a78-bd6e-6605e30f6624",
"value": "FELIXROOT - S0267"
},
{
"description": "This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor (Citation: OSX Keydnap malware).",
"meta": {
"external_id": "S0276",
"mitre_platforms": [
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0276",
"https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/",
"https://www.synack.com/2017/01/01/mac-malware-2016/"
],
"synonyms": [
"Keydnap",
"OSX/Keydnap"
]
},
"related": [
{
"dest-uuid": "dd901512-6e37-4155-943b-453e3777b125",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c0df6533-30ee-4a4a-9c6d-17af5abdf0b2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e2907cea-4b43-4ed7-a570-0fdf0fbeea00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2715c335-1bf2-4efe-9f18-0691317ff83b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "4b072c90-bc7a-432b-940e-016fc1c01761",
"value": "Keydnap - S0276"
},
{
"description": "OBAD is an Android malware family. (Citation: TrendMicro-Obad)",
"meta": {
"external_id": "S0286",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0286",
"http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/"
],
"synonyms": [
"OBAD"
]
},
"related": [
{
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "ca4f63b9-a358-4214-bb26-8c912318cfde",
"value": "OBAD - S0286"
},
{
"description": "[Bisonal](https://attack.mitre.org/software/S0268) is malware that has been used in attacks against targets in Russia, South Korea, and Japan. It has been observed in the wild since 2014. (Citation: Unit 42 Bisonal July 2018)",
"meta": {
"external_id": "S0268",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0268",
"https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/"
],
"synonyms": [
"Bisonal"
]
},
"related": [
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "65ffc206-d7c1-45b3-b543-f6b726e7840d",
"value": "Bisonal - S0268"
},
{
"description": "[QUADAGENT](https://attack.mitre.org/software/S0269) is a PowerShell backdoor used by [OilRig](https://attack.mitre.org/groups/G0049). (Citation: Unit 42 QUADAGENT July 2018)",
"meta": {
"external_id": "S0269",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0269",
"https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/"
],
"synonyms": [
"QUADAGENT"
]
},
"related": [
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77",
"value": "QUADAGENT - S0269"
},
{
"description": "FruitFly is designed to spy on mac users (Citation: objsee mac malware 2017).",
"meta": {
"external_id": "S0277",
"mitre_platforms": [
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0277",
"https://objective-see.com/blog/blog_0x25.html"
],
"synonyms": [
"FruitFly"
]
},
"related": [
{
"dest-uuid": "dd901512-6e37-4155-943b-453e3777b125",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "4a98e44a-bd52-461e-af1e-a4457de87a36",
"value": "FruitFly - S0277"
},
{
"description": "[ZergHelper](https://attack.mitre.org/software/S0287) is iOS riskware that was unique due to its apparent evasion of Apple's App Store review process. No malicious functionality was identified in the app, but it presents security risks. (Citation: Xiao-ZergHelper)",
"meta": {
"external_id": "S0287",
"mitre_platforms": [
"iOS"
],
"refs": [
"https://attack.mitre.org/software/S0287",
"http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"
],
"synonyms": [
"ZergHelper"
]
},
"related": [
{
"dest-uuid": "b765efd1-02e6-4e67-aebf-0fef5c37e54b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "3c3b55a6-c3e9-4043-8aae-283fe96220c0",
"value": "ZergHelper - S0287"
},
{
"description": "[iKitten](https://attack.mitre.org/software/S0278) is a macOS exfiltration agent (Citation: objsee mac malware 2017).",
"meta": {
"external_id": "S0278",
"mitre_platforms": [
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0278",
"https://objective-see.com/blog/blog_0x25.html"
],
"synonyms": [
"iKitten",
"OSX/MacDownloader"
]
},
"related": [
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "18d4ab39-12ed-4a16-9fdb-ae311bba4a0f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "2cfe8a26-5be7-4a09-8915-ea3d9e787513",
"value": "iKitten - S0278"
},
{
"description": "[XcodeGhost](https://attack.mitre.org/software/S0297) is iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users. (Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)",
"meta": {
"external_id": "S0297",
"mitre_platforms": [
"iOS"
],
"refs": [
"https://attack.mitre.org/software/S0297",
"http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/",
"http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"
],
"synonyms": [
"XcodeGhost"
]
},
"related": [
{
"dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "d9e07aea-baad-4b68-bdca-90c77647d7f9",
"value": "XcodeGhost - S0297"
},
{
"description": "[Proton](https://attack.mitre.org/software/S0279) is a macOS backdoor focusing on data theft and credential access (Citation: objsee mac malware 2017).",
"meta": {
"external_id": "S0279",
"mitre_platforms": [
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0279",
"https://objective-see.com/blog/blog_0x25.html"
],
"synonyms": [
"Proton"
]
},
"related": [
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2169ba87-1146-4fc7-a118-12b72251db7e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dd901512-6e37-4155-943b-453e3777b125",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c541efb4-e7b1-4ad6-9da8-b4e113f5dd42",
"value": "Proton - S0279"
},
{
"description": "[KeyRaider](https://attack.mitre.org/software/S0288) is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. (Citation: Xiao-KeyRaider)",
"meta": {
"external_id": "S0288",
"mitre_platforms": [
"iOS"
],
"refs": [
"https://attack.mitre.org/software/S0288",
"http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"
],
"synonyms": [
"KeyRaider"
]
},
"related": [
{
"dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50",
"value": "KeyRaider - S0288"
},
{
"description": "[NotCompatible](https://attack.mitre.org/software/S0299) is an Android malware family that was used between at least 2014 and 2016. It has multiple variants that have become more sophisticated over time. (Citation: Lookout-NotCompatible)",
"meta": {
"external_id": "S0299",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0299",
"https://blog.lookout.com/blog/2014/11/19/notcompatible/"
],
"synonyms": [
"NotCompatible"
]
},
"related": [
{
"dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "23040c15-e7d8-47b5-8c16-8fd3e0e297fe",
"value": "NotCompatible - S0299"
},
{
"description": "[UBoatRAT](https://attack.mitre.org/software/S0333) is a remote access tool that was identified in May 2017.(Citation: PaloAlto UBoatRAT Nov 2017)",
"meta": {
"external_id": "S0333",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0333",
"https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/"
],
"synonyms": [
"UBoatRAT"
]
},
"related": [
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "518bb5f1-91f4-4ff2-b09d-5a94e1ebe95f",
"value": "UBoatRAT - S0333"
},
{
"description": "[DarkComet](https://attack.mitre.org/software/S0334) is a Windows remote administration tool and backdoor.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018)",
"meta": {
"external_id": "S0334",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0334",
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET",
"https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/"
],
"synonyms": [
"DarkComet",
"DarkKomet",
"Fynloski",
"Krademok",
"FYNLOS"
]
},
"related": [
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "53ab35c2-d00e-491a-8753-41d35ae7e547",
"value": "DarkComet - S0334"
},
{
"description": "[Exaramel](https://attack.mitre.org/software/S0343) is multi-platform backdoor for Linux and Windows systems.(Citation: ESET TeleBots Oct 2018)",
"meta": {
"external_id": "S0343",
"mitre_platforms": [
"Linux",
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0343",
"https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/"
],
"synonyms": [
"Exaramel"
]
},
"related": [
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "051eaca1-958f-4091-9e5f-a9acd8f820b5",
"value": "Exaramel - S0343"
},
{
"description": "[Carbon](https://attack.mitre.org/software/S0335) is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. [Carbon](https://attack.mitre.org/software/S0335) has been selectively used by [Turla](https://attack.mitre.org/groups/G0010) to target government and foreign affairs-related organizations in Central Asia.(Citation: ESET Carbon Mar 2017)(Citation: Securelist Turla Oct 2018)",
"meta": {
"external_id": "S0335",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0335",
"https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/",
"https://securelist.com/shedding-skin-turlas-fresh-faces/88069/"
],
"synonyms": [
"Carbon"
]
},
"related": [
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b7e9880a-7a7c-4162-bddb-e28e8ef2bf1f",
"value": "Carbon - S0335"
},
{
"description": "[NOKKI](https://attack.mitre.org/software/S0353) is a modular remote access tool. The earliest observed attack using [NOKKI](https://attack.mitre.org/software/S0353) was in January 2018. [NOKKI](https://attack.mitre.org/software/S0353) has significant code overlap with the [KONNI](https://attack.mitre.org/software/S0356) malware family. There is some evidence potentially linking [NOKKI](https://attack.mitre.org/software/S0353) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)",
"meta": {
"external_id": "S0353",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0353",
"https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/",
"https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/"
],
"synonyms": [
"NOKKI"
]
},
"related": [
{
"dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "071d5d65-83ec-4a55-acfa-be7d5f28ba9a",
"value": "NOKKI - S0353"
},
{
"description": "[NanoCore](https://attack.mitre.org/software/S0336) is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013.(Citation: DigiTrust NanoCore Jan 2017)(Citation: Cofense NanoCore Mar 2018)(Citation: PaloAlto NanoCore Feb 2016)(Citation: Unit 42 Gorgon Group Aug 2018)",
"meta": {
"external_id": "S0336",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0336",
"https://www.digitrustgroup.com/nanocore-not-your-average-rat/",
"https://cofense.com/nanocore-rat-resurfaced-sewers/",
"https://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/",
"https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/"
],
"synonyms": [
"NanoCore"
]
},
"related": [
{
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676",
"value": "NanoCore - S0336"
},
{
"description": "[Astaroth](https://attack.mitre.org/software/S0373) is a Trojan and information stealer known to affect companies in Europe and Brazil. It has been known publicly since at least late 2017. (Citation: Cybereason Astaroth Feb 2019) (Citation: Cofense Astaroth Sept 2018)",
"meta": {
"external_id": "S0373",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0373",
"https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research",
"https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/"
],
"synonyms": [
"Astaroth"
]
},
"related": [
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "edb24a93-1f7a-4bbf-a738-1397a14662c6",
"value": "Astaroth - S0373"
},
{
"description": "[BadPatch](https://attack.mitre.org/software/S0337) is a Windows Trojan that was used in a Gaza Hackers-linked campaign.(Citation: Unit 42 BadPatch Oct 2017)",
"meta": {
"external_id": "S0337",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0337",
"https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/"
],
"synonyms": [
"BadPatch"
]
},
"related": [
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "9af05de0-bc09-4511-a350-5eb8b06185c1",
"value": "BadPatch - S0337"
},
{
"description": "[FlawedGrace](https://attack.mitre.org/software/S0383) is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.(Citation: Proofpoint TA505 Jan 2019)",
"meta": {
"external_id": "S0383",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0383",
"https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505"
],
"synonyms": [
"FlawedGrace"
]
},
"related": [
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "43155329-3edf-47a6-9a14-7dac899b01e4",
"value": "FlawedGrace - S0383"
},
{
"description": "[Micropsia](https://attack.mitre.org/software/S0339) is a remote access tool written in Delphi.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)",
"meta": {
"external_id": "S0339",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0339",
"https://blog.talosintelligence.com/2017/06/palestine-delphi.html",
"https://blog.radware.com/security/2018/07/micropsia-malware/"
],
"synonyms": [
"Micropsia"
]
},
"related": [
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "8c050cea-86e1-4b63-bf21-7af4fa483349",
"value": "Micropsia - S0339"
},
{
"description": "[PowerStallion](https://attack.mitre.org/software/S0393) is a lightweight [PowerShell](https://attack.mitre.org/techniques/T1086) backdoor used by [Turla](https://attack.mitre.org/groups/G0010), possibly as a recovery access tool to install other backdoors.(Citation: ESET Turla PowerShell May 2019)",
"meta": {
"external_id": "S0393",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0393",
"https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/"
],
"synonyms": [
"PowerStallion"
]
},
"related": [
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "dcac85c1-6485-4790-84f6-de5e6f6b91dd",
"value": "PowerStallion - S0393"
},
{
"description": "[Azorult](https://attack.mitre.org/software/S0344) is a commercial Trojan that is used to steal information from compromised hosts. [Azorult](https://attack.mitre.org/software/S0344) has been observed in the wild as early as 2016.\nIn July 2018, [Azorult](https://attack.mitre.org/software/S0344) was seen used in a spearphishing campaign against targets in North America. [Azorult](https://attack.mitre.org/software/S0344) has been seen used for cryptocurrency theft. (Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)",
"meta": {
"external_id": "S0344",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0344",
"https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/",
"https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside"
],
"synonyms": [
"Azorult"
]
},
"related": [
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "f9b05f33-d45d-4e4d-aafe-c208d38a0080",
"value": "Azorult - S0344"
},
{
"description": "[Denis](https://attack.mitre.org/software/S0354) is a Windows backdoor and Trojan.(Citation: Cybereason Oceanlotus May 2017)",
"meta": {
"external_id": "S0354",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0354",
"https://www.cybereason.com/blog/operation-cobalt-kitty-apt"
],
"synonyms": [
"Denis"
]
},
"related": [
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "f25aab1a-0cef-4910-a85d-bb38b32ea41a",
"value": "Denis - S0354"
},
{
"description": "[Seasalt](https://attack.mitre.org/software/S0345) is malware that has been linked to [APT1](https://attack.mitre.org/groups/G0006)'s 2010 operations. It shares some code similarities with [OceanSalt](https://attack.mitre.org/software/S0346).(Citation: Mandiant APT1 Appendix)(Citation: McAfee Oceansalt Oct 2018)",
"meta": {
"external_id": "S0345",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0345",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip",
"https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf"
],
"synonyms": [
"Seasalt"
]
},
"related": [
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b45747dc-87ca-4597-a245-7e16a61bc491",
"value": "Seasalt - S0345"
},
{
"description": "[OceanSalt](https://attack.mitre.org/software/S0346) is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. [OceanSalt](https://attack.mitre.org/software/S0346) shares code similarity with [SpyNote RAT](https://attack.mitre.org/software/S0305), which has been linked to [APT1](https://attack.mitre.org/groups/G0006).(Citation: McAfee Oceansalt Oct 2018)",
"meta": {
"external_id": "S0346",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0346",
"https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf"
],
"synonyms": [
"OceanSalt"
]
},
"related": [
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "288fa242-e894-4c7e-ac86-856deedf5cea",
"value": "OceanSalt - S0346"
},
{
"description": "[AuditCred](https://attack.mitre.org/software/S0347) is a malicious DLL that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) during their 2018 attacks.(Citation: TrendMicro Lazarus Nov 2018)",
"meta": {
"external_id": "S0347",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0347",
"https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/"
],
"synonyms": [
"AuditCred",
"Roptimizer"
]
},
"related": [
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "24b4ce59-eaac-4c8b-8634-9b093b7ccd92",
"value": "AuditCred - S0347"
},
{
"description": "[SpeakUp](https://attack.mitre.org/software/S0374) is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. (Citation: CheckPoint SpeakUp Feb 2019)",
"meta": {
"external_id": "S0374",
"mitre_platforms": [
"Linux",
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0374",
"https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/"
],
"synonyms": [
"SpeakUp"
]
},
"related": [
{
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "a5575606-9b85-4e3d-9cd2-40ef30e3672d",
"value": "SpeakUp - S0374"
},
{
"description": "[Dridex](https://attack.mitre.org/software/S0384) is a banking Trojan that has been used for financial gain. Dridex was created from the source code of the Bugat banking trojan (also known as Cridex).(Citation: Dell Dridex Oct 2015)(Citation: Kaspersky Dridex May 2017)",
"meta": {
"external_id": "S0384",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0384",
"https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation",
"https://securelist.com/dridex-a-history-of-evolution/78531/"
],
"synonyms": [
"Dridex",
"Bugat v5"
]
},
"related": [
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "f01e2711-4b48-4192-a2e8-5f56c945ca19",
"value": "Dridex - S0384"
},
{
"description": "[HiddenWasp](https://attack.mitre.org/software/S0394) is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statistically linked ELF binary with stdlibc++.(Citation: Intezer HiddenWasp Map 2019)",
"meta": {
"external_id": "S0394",
"mitre_platforms": [
"Linux"
],
"refs": [
"https://attack.mitre.org/software/S0394",
"https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/"
],
"synonyms": [
"HiddenWasp"
]
},
"related": [
{
"dest-uuid": "01df3350-ce05-4bdf-bdf8-0a919a66d4a8",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "fc774af4-533b-4724-96d2-ac1026316794",
"value": "HiddenWasp - S0394"
},
{
"description": "[KONNI](https://attack.mitre.org/software/S0356) is a Windows remote administration too that has been seen in use since 2014 and evolved in its capabilities through at least 2017. [KONNI](https://attack.mitre.org/software/S0356) has been linked to several campaigns involving North Korean themes.(Citation: Talos Konni May 2017) [KONNI](https://attack.mitre.org/software/S0356) has significant code overlap with the [NOKKI](https://attack.mitre.org/software/S0353) malware family. There is some evidence potentially linking [KONNI](https://attack.mitre.org/software/S0356) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)",
"meta": {
"external_id": "S0356",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0356",
"https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html",
"https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/",
"https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/"
],
"synonyms": [
"KONNI"
]
},
"related": [
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "86b92f6c-9c05-4c51-b361-4c7bb13e21a1",
"value": "KONNI - S0356"
},
{
"description": "[Remexi](https://attack.mitre.org/software/S0375) is a Windows-based Trojan that was developed in the C programming language.(Citation: Securelist Remexi Jan 2019)",
"meta": {
"external_id": "S0375",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0375",
"https://securelist.com/chafer-used-remexi-malware/89538/"
],
"synonyms": [
"Remexi"
]
},
"related": [
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "ecc2f65a-b452-4eaf-9689-7e181f17f7a5",
"value": "Remexi - S0375"
},
{
"description": "[njRAT](https://attack.mitre.org/software/S0385) is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.(Citation: Fidelis njRAT June 2013)",
"meta": {
"external_id": "S0385",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0385",
"https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf",
"https://www.fireeye.com/blog/threat-research/2013/08/njw0rm-brother-from-the-same-mother.html",
"https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/"
],
"synonyms": [
"njRAT",
"Njw0rm",
"LV",
"Bladabindi"
]
},
"related": [
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945",
"value": "njRAT - S0385"
},
{
"description": "[LightNeuron](https://attack.mitre.org/software/S0395) is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. [LightNeuron](https://attack.mitre.org/software/S0395) has been used by [Turla](https://attack.mitre.org/groups/G0010) to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of [LightNeuron](https://attack.mitre.org/software/S0395) exists.(Citation: ESET LightNeuron May 2019)",
"meta": {
"external_id": "S0395",
"mitre_platforms": [
"Windows",
"Linux"
],
"refs": [
"https://attack.mitre.org/software/S0395",
"https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf"
],
"synonyms": [
"LightNeuron"
]
},
"related": [
{
"dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc1e737c-236c-4e3b-83ba-32039a626ef8",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb",
"value": "LightNeuron - S0395"
},
{
"description": "[WannaCry](https://attack.mitre.org/software/S0366) is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.(Citation: LogRhythm WannaCry)(Citation: US-CERT WannaCry 2017)(Citation: Washington Post WannaCry 2017)(Citation: FireEye WannaCry 2017)",
"meta": {
"external_id": "S0366",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0366",
"https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/",
"https://www.us-cert.gov/ncas/alerts/TA17-132A",
"https://www.washingtonpost.com/business/economy/more-than-150-countries-affected-by-massive-cyberattack-europol-says/2017/05/14/5091465e-3899-11e7-9e48-c4f199710b69_story.html?utm_term=.7fa16b41cad4",
"https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html",
"https://www.secureworks.com/research/wcry-ransomware-analysis"
],
"synonyms": [
"WannaCry",
"WanaCry",
"WanaCrypt",
"WanaCrypt0r",
"WCry"
]
},
"related": [
{
"dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "65917ae0-b854-4139-83fe-bf2441cf0196",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661",
"value": "WannaCry - S0366"
},
{
"description": "[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. (Citation: Trend Micro Banking Malware Jan 2019)",
"meta": {
"external_id": "S0367",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0367",
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/",
"https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/",
"https://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/",
"https://support.malwarebytes.com/docs/DOC-2295",
"https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor",
"https://www.us-cert.gov/ncas/alerts/TA18-201A",
"https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/",
"https://www.secureworks.com/blog/lazy-passwords-become-rocket-fuel-for-emotet-smb-spreader",
"https://blog.talosintelligence.com/2019/01/return-of-emotet.html",
"https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf",
"https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/",
"https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html",
"https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/"
],
"synonyms": [
"Emotet",
"Geodo"
]
},
"related": [
{
"dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
2018-10-12 09:00:00 +00:00
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
2018-10-12 09:00:00 +00:00
{
"dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
2018-10-12 09:00:00 +00:00
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
2018-10-12 09:00:00 +00:00
{
"dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
2018-10-12 09:00:00 +00:00
}
],
"uuid": "32066e94-3112-48ca-b9eb-ba2b59d2f023",
"value": "Emotet - S0367"
2017-10-26 08:28:53 +00:00
},
{
"description": "[HOPLIGHT](https://attack.mitre.org/software/S0376) is a backdoor Trojan that has reportedly been used by the North Korean government.(Citation: US-CERT HOPLIGHT Apr 2019)",
2017-10-26 08:28:53 +00:00
"meta": {
"external_id": "S0376",
"mitre_platforms": [
"Windows"
],
2017-10-26 08:28:53 +00:00
"refs": [
"https://attack.mitre.org/software/S0376",
"https://www.us-cert.gov/ncas/analysis-reports/AR19-100A"
2017-10-26 08:28:53 +00:00
],
"synonyms": [
"HOPLIGHT"
]
2017-10-26 08:28:53 +00:00
},
"related": [
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
2018-10-12 09:00:00 +00:00
},
{
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "454fe82d-6fd2-4ac6-91ab-28a33fe01369",
"value": "HOPLIGHT - S0376"
2017-10-26 08:28:53 +00:00
},
{
"description": "[NotPetya](https://attack.mitre.org/software/S0368) is malware that was first seen in a worldwide attack starting on June 27, 2017. The main purpose of the malware appeared to be to effectively destroy data and disk structures on compromised systems. Though [NotPetya](https://attack.mitre.org/software/S0368) presents itself as a form of ransomware, it appears likely that the attackers never intended to make the encrypted data recoverable. As such, [NotPetya](https://attack.mitre.org/software/S0368) may be more appropriately thought of as a form of wiper malware. [NotPetya](https://attack.mitre.org/software/S0368) contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.(Citation: Talos Nyetya June 2017)(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)",
2017-10-26 08:28:53 +00:00
"meta": {
"external_id": "S0368",
"mitre_platforms": [
"Windows"
2017-10-26 08:28:53 +00:00
],
"refs": [
"https://attack.mitre.org/software/S0368",
"https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html",
"https://www.us-cert.gov/ncas/alerts/TA17-181A"
2017-10-26 08:28:53 +00:00
],
"synonyms": [
"NotPetya",
"GoldenEye",
"Petrwrap",
"Nyetya"
]
2017-10-26 08:28:53 +00:00
},
"related": [
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
2018-10-12 09:00:00 +00:00
{
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "5719af9d-6b16-46f9-9b28-fb019541ddbb",
"value": "NotPetya - S0368"
},
{
"description": "[EvilBunny](https://attack.mitre.org/software/S0396) is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.(Citation: Cyphort EvilBunny Dec 2014)",
"meta": {
"external_id": "S0396",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0396",
"https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/"
],
"synonyms": [
"EvilBunny"
]
},
"related": [
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
2018-10-12 09:00:00 +00:00
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
2018-10-12 09:00:00 +00:00
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "a8a778f5-0035-4870-bb25-53dc05029586",
"value": "EvilBunny - S0396"
},
{
"description": "[CoinTicker](https://attack.mitre.org/software/S0369) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019)",
"meta": {
"external_id": "S0369",
"mitre_platforms": [
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0369",
"https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/"
],
"synonyms": [
"CoinTicker"
]
},
"related": [
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
2018-10-12 09:00:00 +00:00
},
{
"dest-uuid": "6fb6408c-0db3-41d9-a3a1-a32e5f16454e",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dd901512-6e37-4155-943b-453e3777b125",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
2018-10-12 09:00:00 +00:00
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "d1531eaa-9e17-473e-a680-3298469662c3",
"value": "CoinTicker - S0369"
},
{
"description": "[Ebury](https://attack.mitre.org/software/S0377) is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).(Citation: ESET Ebury Feb 2014)(Citation: BleepingComputer Ebury March 2017)",
"meta": {
"external_id": "S0377",
"mitre_platforms": [
"Linux"
],
"refs": [
"https://attack.mitre.org/software/S0377",
"https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/",
"https://www.bleepingcomputer.com/news/security/russian-hacker-pleads-guilty-for-role-in-infamous-linux-ebury-malware/"
],
"synonyms": [
"Ebury"
]
},
"related": [
{
"dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
2018-10-12 09:00:00 +00:00
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
2018-10-12 09:00:00 +00:00
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "54456690-84de-4538-9101-643e26437e09",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "d6b3fcd0-1c86-4350-96f0-965ed02fcc51",
"value": "Ebury - S0377"
2017-10-26 08:28:53 +00:00
},
{
"description": "[KeyBoy](https://attack.mitre.org/software/S0387) is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.(Citation: CitizenLab KeyBoy Nov 2016)(Citation: PWC KeyBoys Feb 2017)",
2017-10-26 08:28:53 +00:00
"meta": {
"external_id": "S0387",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0387",
"https://citizenlab.ca/2016/11/parliament-keyboy/",
"https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html",
"https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/"
2017-10-26 08:28:53 +00:00
],
"synonyms": [
"KeyBoy"
]
},
"related": [
{
"dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
2018-10-12 09:00:00 +00:00
{
"dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
2018-10-12 09:00:00 +00:00
}
],
"uuid": "5dd649c0-bca4-488b-bd85-b180474ec62e",
"value": "KeyBoy - S0387"
2017-10-26 08:28:53 +00:00
},
{
"description": "[LoJax](https://attack.mitre.org/software/S0397) is a UEFI rootkit used by [APT28](https://attack.mitre.org/groups/G0007) to persist remote access software on targeted systems.(Citation: ESET LoJax Sept 2018)",
2017-10-26 08:28:53 +00:00
"meta": {
"external_id": "S0397",
"mitre_platforms": [
"Windows"
],
2017-10-26 08:28:53 +00:00
"refs": [
"https://attack.mitre.org/software/S0397",
"https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf"
2017-10-26 08:28:53 +00:00
],
"synonyms": [
"LoJax"
]
2017-10-26 08:28:53 +00:00
},
"related": [
{
"dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
2018-10-12 09:00:00 +00:00
{
"dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
2018-10-12 09:00:00 +00:00
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b865dded-0553-4962-a44b-6fe7863effed",
"value": "LoJax - S0397"
},
{
"description": "Yahoyah is a Trojan used by [Tropic Trooper](https://attack.mitre.org/groups/G0081) as a second-stage backdoor.(Citation: TrendMicro TropicTrooper 2015)",
"meta": {
"external_id": "S0388",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0388",
"https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf"
],
"synonyms": [
"Yahoyah"
]
},
"related": [
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "cb444a16-3ea5-4a91-88c6-f329adcb8af3",
"value": "Yahoyah - S0388"
2017-10-26 08:28:53 +00:00
},
{
"description": "[JCry](https://attack.mitre.org/software/S0389) is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.(Citation: Carbon Black JCry May 2019)",
2017-10-26 08:28:53 +00:00
"meta": {
"external_id": "S0389",
2017-10-26 08:28:53 +00:00
"refs": [
"https://attack.mitre.org/software/S0389",
"https://www.carbonblack.com/2019/05/14/cb-tau-threat-intelligence-notification-jcry-ransomware-pretends-to-be-adobe-flash-player-update-installer/"
2017-10-26 08:28:53 +00:00
],
"synonyms": [
"JCry"
]
2017-10-26 08:28:53 +00:00
},
"related": [
{
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "aaf3fa65-8b27-4e68-91de-2b7738fe4c82",
"value": "JCry - S0389"
},
{
"description": "[Pallas](https://attack.mitre.org/software/S0399) is mobile surveillanceware that was custom-developed by [Dark Caracal](https://attack.mitre.org/groups/G0070).(Citation: Lookout Dark Caracal Jan 2018)",
"meta": {
"external_id": "S0399",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0399",
"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
],
"synonyms": [
"Pallas"
]
},
"related": [
{
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
2018-10-12 09:00:00 +00:00
{
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
2018-10-12 09:00:00 +00:00
},
{
"dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f",
2018-10-12 09:00:00 +00:00
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
2018-10-12 09:00:00 +00:00
],
"type": "uses"
},
{
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
"value": "Pallas - S0399"
2017-10-26 08:28:53 +00:00
}
],
"version": 16
2019-03-20 11:58:18 +00:00
}