diff --git a/clusters/tool.json b/clusters/tool.json index c1c20ca..8512cf0 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -3761,6 +3761,18 @@ ] }, "uuid": "70c31066-237a-11e8-8eff-37ef1ad0c703" + }, + { + "value": "Cheshire Cat", + "description": "Oldest Cheshire Cat malware compiled in 2002. It's a very old family of malware.\nThe time stamps may be forged but the malware does have support for very old operating systems. The 2002 implant retrieves a handle for an asr2892 drives that they never got their hands on. It checks for a NE header which is a header type used before PE headers even existed. References to 16bit or DOS on a non 9x platform. This malware implant IS REALLY for old systems.\nThe malware is for espionage - it's very carefully made to stay hidden. Newer versions install as icon handler shell extension for .lnk files. Shell in this case means the program manager because windows explorer was not yet a thing. It sets up COM server objects. It looks like it was written in pure C, but made to look like C++.\nA sensitive implant as well: it checks for all kinds of old MS platforms including Windows NT, win95, win98, winME and more. It checks the patch level as well. A lot of effort was put into adapting this malware to a lot of different operating systems with very granular decision chains.", + "meta": { + "refs": [ + "https://www.youtube.com/watch?v=u2Ry9HTBbZI", + "https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/", + "https://www.peerlyst.com/posts/hack-lu-2016-recap-interesting-malware-no-i-m-not-kidding-by-marion-marschalek-claus-cramon" + ] + }, + "uuid": "7af226a0-237d-11e8-b438-075460988010" } ] }