add VEILEDSIGNALand more

This commit is contained in:
Delta-Sierra 2023-04-27 09:53:49 +02:00
parent 79b80b0869
commit bd050668ef
2 changed files with 72 additions and 2 deletions

View file

@ -214,7 +214,27 @@
}, },
"uuid": "c866b002-1cb6-4c91-8a8b-f0b0c6ac2b1a", "uuid": "c866b002-1cb6-4c91-8a8b-f0b0c6ac2b1a",
"value": "PowerMagic" "value": "PowerMagic"
},
{
"description": "VEILEDSIGNAL is a backdoor written in C that is able to execute shellcode and terminate itself. Additionally, VEILEDSIGNAL relies on additional modules that connect via Windows named pipes to interact with the Command and Control(C2) infrastructure.",
"meta": {
"refs": [
"https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
]
},
"uuid": "f482f9bb-ced1-4a2f-90cd-07df7163b44f",
"value": "VEILEDSIGNAL"
},
{
"description": "POOLRAT is a C/C++ macOS backdoor capable of collecting basic system information and executing commands. The commands performed include running arbitrary commands, secure deleting files, reading and writing files, updating the configuration.",
"meta": {
"refs": [
"https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
]
},
"uuid": "617009c2-e6bc-4881-8f46-b9b4a68f4c04",
"value": "POOLRAT"
} }
], ],
"version": 15 "version": 16
} }

View file

@ -10030,7 +10030,57 @@
], ],
"uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b", "uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b",
"value": "QUARTERRIG" "value": "QUARTERRIG"
},
{
"description": "ICONICSTEALER is a C/C++ data miner that collects application configuration data as well as browser history.",
"meta": {
"refs": [
"https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
]
},
"uuid": "1dca0cec-920e-47d4-a848-ed417f4012e8",
"value": "ICONICSTEALER"
},
{
"description": "DAVESHELL is shellcode that functions as an in-memory dropper. Its embedded payload is mapped into memory and executed.",
"meta": {
"refs": [
"https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
]
},
"uuid": "0ca56007-de60-41b6-99a6-3b7d9dd737d4",
"value": "DAVESHELL"
},
{
"description": "SigFlip is a tool for patching authenticode signed PE-COFF files to inject arbitrary code without affecting or breaking the file's signature.",
"meta": {
"refs": [
"https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
]
},
"uuid": "832f7b8c-b733-48b5-a186-7482b09fe5be",
"value": "SIGFLIP"
},
{
"description": "COLDCAT is a complex downloader. COLDCAT generates unique host identifier information, and beacons it to a C2 that is specified in a separate file via POST request with the data in the cookie header. After a brief handshake, the malware expects base64 encoded shellcode to execute in response.",
"meta": {
"refs": [
"https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
]
},
"uuid": "62530fb1-fbce-4b39-91d3-bedc0c37d0fe",
"value": "COLDCAT"
},
{
"description": "TAXHAUL is a DLL that, when executed, decrypts a shellcode payload expected at C:\\Windows\\System32\\config\\TxR\\<machine hardware profile GUID>.TXR.0.regtrans-ms. Mandiant has seen TAXHAUL persist via DLL side loading.",
"meta": {
"refs": [
"https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
]
},
"uuid": "90ced040-3507-4b81-9e6d-131acde085ab",
"value": "TAXHAUL"
} }
], ],
"version": 165 "version": 166
} }