{ "values": [ { "value": "PlugX", "description": "Malware" }, { "value": "MSUpdater" }, { "value": "Poison Ivy", "description": "Poison Ivy is a RAT which was freely available and first released in 2005.", "refs": ["https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf"] }, { "value": "SPIVY", "description": "In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.", "refs": ["http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/"] }, { "value": "Torn RAT" }, { "value": "ZeGhost" }, { "value": "Backdoor.Dripion", "description": "Backdoor.Dripion was custom developed, deployed in a highly targeted fashion, and used command and control servers disguised as antivirus company websites.", "refs": ["http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan"], "synonyms": ["Dripion"] }, { "value": "Elise Backdoor", "synonyms": ["Elise"] }, { "value": "Trojan.Laziok", "synonyms": ["Laziok"], "refs": ["http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector"], "description": "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer." }, { "value": "Slempo", "description": "Android-based malware", "synonyms": ["GM-Bot", "Acecard"] }, { "value": "PWOBot", "description": "We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.", "refs": ["http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/"] }, { "value": "Lstudio" }, { "value": "Joy RAT" }, { "value": "Lost Door RAT", "synonyms": ["LostDoor RAT"], "descriptions": "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers.", "refs": ["http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/"] }, { "value": "njRAT", "synonyms": ["Bladakindi"], "refs": ["http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf"] }, { "value": "NanoCoreRAT", "synonyms": ["NanoCore"], "refs": ["http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter"] }, { "value": "Sakula", "synonyms": ["Sakurel"] }, { "value": "Derusbi" }, { "value": "EvilGrab" }, { "value": "IEChecker" }, { "value": "Trojan.Naid" }, { "value": "Backdoor.Moudoor" }, { "value": "NetTraveler" }, { "value": "Winnti" }, { "value": "Mimikatz" }, { "value": "WEBC2" }, { "value": "Pirpi" }, { "value": "RARSTONE" }, { "value": "BACKSPACe" }, { "value": "XSControl" }, { "value": "NETEAGLE" }, { "value": "Agent.BTZ", "synonyms": ["ComRat"] }, { "value": "Heseber BOT", "description": "RAT bundle with standard VNC (to avoid/limit A/V detection)." }, { "value": "Agent.dne" }, { "value": "Wipbot" }, { "value": "Turla" }, { "value": "Uroburos" }, { "value": "Winexe" }, { "value": "Dark Comet", "description": "RAT initialy identified in 2011 and still actively used." }, { "value": "AlienSpy", "description": "RAT for Apple OS X platforms" }, { "value": "Cadelspy", "synonyms": ["WinSpy"] }, { "value": "CMStar", "refs": ["http://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/"] }, { "value": "DHS2015", "synonyms": ["iRAT"], "refs": ["https://securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf"] }, { "value": "Gh0st Rat", "description": "Gh0st Rat is a well-known Chinese remote access trojan which was originally made by C.Rufus Security Team several years ago.", "synonyms": ["Gh0stRat, GhostRat"], "refs": ["http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf"] }, { "value": "Fakem RAT", "description": "Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages). ", "synonyms": ["FAKEM"], "refs": ["http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf"] }, { "value": "MFC Huner", "synonyms": ["Hupigon", "BKDR_HUPIGON"], "refs": ["http://blog.trendmicro.com/trendlabs-security-intelligence/japan-us-defense-industries-among-targeted-entities-in-latest-attack/"] }, { "value": "Blackshades", "description": "Blackshades Remote Access Tool targets Microsoft Windows operating systems. Authors were arrested in 2012 and 2014.", "refs": ["https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-and-fbi-assistant-director-charge-announce-charges-connection","https://blog.malwarebytes.org/intelligence/2012/06/you-dirty-rat-part-2-blackshades-net/"] }, { "value": "CORESHELL" }, { "value": "CHOPSTICK" }, { "value": "SOURFACE" }, { "value": "OLDBAIT" }, { "value": "Havex RAT", "synonyms": ["Havex"] }, { "value": "KjW0rm", "description": "RAT initially written in VB.", "refs": ["https://www.sentinelone.com/blog/understanding-kjw0rm-malware-we-dive-in-to-the-tv5-cyber-attack/"] }, { "value": "LURK" }, { "value": "Oldrea" }, { "value": "AmmyAdmin" }, { "value": "Matryoshka" }, { "value": "TinyZBot" }, { "value": "GHOLE" }, { "value": "CWoolger" }, { "value": "FireMalv" }, { "value": "Regin" }, { "value": "Duqu" }, { "value": "Flame" }, { "value": "Stuxnet" }, { "value": "EquationLaser" }, { "value": "EquationDrug" }, { "value": "DoubleFantasy" }, { "value": "TripleFantasy" }, { "value": "Fanny" }, { "value": "GrayFish" }, { "value": "Babar" }, { "value": "Bunny" }, { "value": "Casper" }, { "value": "NBot" }, { "value": "Tafacalou" }, { "value": "Tdrop" }, { "value": "Troy" }, { "value": "Tdrop2" }, { "value": "ZXShell", "synonyms": ["Sensode"], "refs": ["http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html"] }, { "value": "T9000", "refs": ["http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/"] }, { "value": "T5000", "synonyms": ["Plat1"], "refs": ["http://www.cylance.com/techblog/Grand-Theft-Auto-Panda.shtml"] }, { "value": "Taidoor", "refs": ["http://www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks"] }, { "value": "Swisyn", "refs": ["http://labs.alienvault.com/labs/index.php/2013/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists/"] }, { "value": "Rekaf", "refs": ["https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"] }, { "value": "Scieron" }, { "value": "SkeletonKey", "refs": ["http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/"] }, { "value": "Skyipot", "refs": ["http://labs.alienvault.com/labs/index.php/2011/another-sykipot-sample-likely-targeting-us-federal-agencies/"] }, { "value": "Spindest", "refs": ["http://www.threatconnect.com/news/threatconnect-enables-healthy-networking-biomed-life-sciences-industry/"] }, { "value": "Preshin" }, { "value": "Rekaf", "refs": ["https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"] }, { "value": "Oficla" }, { "value": "PCClient RAT", "refs": ["http://researchcenter.paloaltonetworks.com/2014/10/new-indicators-compromise-apt-group-nitro-uncovered/"] }, { "value": "Plexor" }, { "value": "Mongall", "refs": ["https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"] }, { "value": "NeD Worm", "refs": ["http://www.clearskysec.com/dustysky/"] }, { "value": "NewCT", "refs": ["https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"] }, { "value": "Nflog", "refs": ["https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"] }, { "value": "Janicab", "refs": ["http://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/"] }, { "value": "Jripbot", "synonyms": ["Jiripbot"], "refs": ["http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf"] }, { "value": "Jolob", "refs": ["http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html"] }, { "value": "IsSpace", "refs": ["https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"] }, { "value": "Hoardy", "synonyms": ["Hoarde", "Phindolp", "BS2005"] }, { "value": "Htran", "refs": ["http://www.secureworks.com/research/threats/htran/"] }, { "value": "HTTPBrowser", "synonyms": ["TokenControl"], "refs": ["https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop"] }, { "value": "Disgufa" }, { "value": "Elirks" }, { "value": "Snifula", "synonyms": ["Ursnif"], "refs": ["https://www.circl.lu/pub/tr-13/"] }, { "value": "Aumlib", "synonyms": ["Yayih", "mswab", "Graftor"], "refs": ["http://www.cybersquared.com/killing-with-a-borrowed-knife-chaining-core-cloud-service-profile-infrastructure-for-cyber-attacks"] }, { "value": "CTRat", "refs": ["http://www.fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html"] }, { "value": "Emdivi", "synonyms": ["Newsripper"], "refs": ["http://www.symantec.com/connect/blogs/operation-cloudyomega-ichitaro-zero-day-and-ongoing-cyberespionage-campaign-targeting-japan"] }, { "value": "Etumbot", "synonyms": ["Exploz", "Specfix", "RIPTIDE"], "refs": ["www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf"] }, { "value": "Fexel", "synonyms": ["Loneagent"] }, { "value": "Fysbis", "refs": ["http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/"] }, { "value": "Hikit", "refs": ["https://blog.bit9.com/2013/02/25/bit9-security-incident-update/"] }, { "value": "Hancitor", "refs": ["https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear"], "synonyms": ["Tordal","Chanitor"] }, { "value": "Ruckguv", "refs": ["https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear"] }, { "value": "HerHer Trojan", "refs": ["http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"] }, { "value": "Helminth backdoor", "refs": ["http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"], } ], "version" : 1, "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "author": ["Alexandre Dulaunoy", "Florian Roth", "Timo Steffens"], "type": "threat-actor-tools" }