mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-22 23:07:19 +00:00
add VEILEDSIGNALand more
This commit is contained in:
parent
79b80b0869
commit
bd050668ef
2 changed files with 72 additions and 2 deletions
|
@ -214,7 +214,27 @@
|
|||
},
|
||||
"uuid": "c866b002-1cb6-4c91-8a8b-f0b0c6ac2b1a",
|
||||
"value": "PowerMagic"
|
||||
},
|
||||
{
|
||||
"description": "VEILEDSIGNAL is a backdoor written in C that is able to execute shellcode and terminate itself. Additionally, VEILEDSIGNAL relies on additional modules that connect via Windows named pipes to interact with the Command and Control(C2) infrastructure.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
|
||||
]
|
||||
},
|
||||
"uuid": "f482f9bb-ced1-4a2f-90cd-07df7163b44f",
|
||||
"value": "VEILEDSIGNAL"
|
||||
},
|
||||
{
|
||||
"description": "POOLRAT is a C/C++ macOS backdoor capable of collecting basic system information and executing commands. The commands performed include running arbitrary commands, secure deleting files, reading and writing files, updating the configuration.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
|
||||
]
|
||||
},
|
||||
"uuid": "617009c2-e6bc-4881-8f46-b9b4a68f4c04",
|
||||
"value": "POOLRAT"
|
||||
}
|
||||
],
|
||||
"version": 15
|
||||
"version": 16
|
||||
}
|
||||
|
|
|
@ -10030,7 +10030,57 @@
|
|||
],
|
||||
"uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b",
|
||||
"value": "QUARTERRIG"
|
||||
},
|
||||
{
|
||||
"description": "ICONICSTEALER is a C/C++ data miner that collects application configuration data as well as browser history.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
|
||||
]
|
||||
},
|
||||
"uuid": "1dca0cec-920e-47d4-a848-ed417f4012e8",
|
||||
"value": "ICONICSTEALER"
|
||||
},
|
||||
{
|
||||
"description": "DAVESHELL is shellcode that functions as an in-memory dropper. Its embedded payload is mapped into memory and executed.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
|
||||
]
|
||||
},
|
||||
"uuid": "0ca56007-de60-41b6-99a6-3b7d9dd737d4",
|
||||
"value": "DAVESHELL"
|
||||
},
|
||||
{
|
||||
"description": "SigFlip is a tool for patching authenticode signed PE-COFF files to inject arbitrary code without affecting or breaking the file's signature.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
|
||||
]
|
||||
},
|
||||
"uuid": "832f7b8c-b733-48b5-a186-7482b09fe5be",
|
||||
"value": "SIGFLIP"
|
||||
},
|
||||
{
|
||||
"description": "COLDCAT is a complex downloader. COLDCAT generates unique host identifier information, and beacons it to a C2 that is specified in a separate file via POST request with the data in the cookie header. After a brief handshake, the malware expects base64 encoded shellcode to execute in response.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
|
||||
]
|
||||
},
|
||||
"uuid": "62530fb1-fbce-4b39-91d3-bedc0c37d0fe",
|
||||
"value": "COLDCAT"
|
||||
},
|
||||
{
|
||||
"description": "TAXHAUL is a DLL that, when executed, decrypts a shellcode payload expected at C:\\Windows\\System32\\config\\TxR\\<machine hardware profile GUID>.TXR.0.regtrans-ms. Mandiant has seen TAXHAUL persist via DLL side loading.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
|
||||
]
|
||||
},
|
||||
"uuid": "90ced040-3507-4b81-9e6d-131acde085ab",
|
||||
"value": "TAXHAUL"
|
||||
}
|
||||
],
|
||||
"version": 165
|
||||
"version": 166
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue