{ "description": "Name of ATT&CK software", "uuid": "d752161c-78f6-11e7-a0ea-bfa79b407ce4", "authors": [ "MITRE" ], "source": "https://github.com/mitre/cti", "type": "malware", "values": [ { "description": "OLDBAIT is a credential harvester used by APT28.[[Citation: FireEye APT28]][[Citation: FireEye APT28 January 2017]]\n\nAliases: OLDBAIT, Sasfis", "meta": { "synonyms": [ "OLDBAIT", "Sasfis" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0138", "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" ] }, "uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", "name": "OLDBAIT" }, { "description": "CosmicDuke is malware that was used by APT29 from 2010 to 2015.[[Citation: F-Secure The Dukes]]\n\nAliases: CosmicDuke, TinyBaron, BotgenStudios, NemesisGemina", "meta": { "synonyms": [ "CosmicDuke", "TinyBaron", "BotgenStudios", "NemesisGemina" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0050", "https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf" ] }, "uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "name": "CosmicDuke" }, { "description": "H1N1 is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality.[[Citation: Cisco H1N1 Part 1]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0132", "http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities" ] }, "uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", "name": "H1N1" }, { "description": "SPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.[[Citation: FireEye APT30]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0035", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ] }, "uuid": "8b880b41-5139-4807-baa9-309690218719", "name": "SPACESHIP" }, { "description": "Hi-Zor is a remote access tool (RAT) that has characteristics similar to Sakula. It was used in a campaign named INOCNATION.[[Citation: Fidelis Hi-Zor]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0087", "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html" ] }, "uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", "name": "Hi-Zor" }, { "description": "TEXTMATE is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with POWERSOURCE in February 2017.[[Citation: FireEye FIN7 March 2017]]\n\nAliases: TEXTMATE, DNSMessenger", "meta": { "synonyms": [ "TEXTMATE", "DNSMessenger" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0146", "https://www.fireeye.com/blog/threat-research/2017/03/fin7%20spear%20phishing.html" ] }, "uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", "name": "TEXTMATE" }, { "description": "Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler.[[Citation: Cylance Cleaver]]\n\nAliases: Net Crawler, NetC", "meta": { "synonyms": [ "Net Crawler", "NetC" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0056", "http://www.cylance.com/assets/Cleaver/Cylance%20Operation%20Cleaver%20Report.pdf" ] }, "uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", "name": "Net Crawler" }, { "description": "BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3.[[Citation: F-Secure BlackEnergy 2014]]\n\nAliases: BlackEnergy, Black Energy", "meta": { "synonyms": [ "BlackEnergy", "Black Energy" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0089", "https://www.f-secure.com/documents/996508/1030745/blackenergy%20whitepaper.pdf" ] }, "uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "name": "BlackEnergy" }, { "description": "Pisloader is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by APT18 and is similar to another malware family, HTTPBrowser, that has been used by the group.[[Citation: Palo Alto DNS Requests]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0124", "http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" ] }, "uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", "name": "Pisloader" }, { "description": "Backdoor.Oldrea is a backdoor used by Dragonfly. It appears to be custom malware authored by the group or specifically for it.[[Citation: Symantec Dragonfly]]\n\nAliases: Backdoor.Oldrea, Havex", "meta": { "synonyms": [ "Backdoor.Oldrea", "Havex" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0093", "http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/Dragonfly%20Threat%20Against%20Western%20Energy%20Suppliers.pdf" ] }, "uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", "name": "Backdoor.Oldrea" }, { "description": "ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool.[[Citation: Palo Alto menuPass Feb 2017]][[Citation: JPCERT ChChes Feb 2017]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0144", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", "http://blog.jpcert.or.jp/2017/02/chches-malware--93d6.html" ] }, "uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", "name": "ChChes" }, { "description": "Hacking Team UEFI Rootkit is a rootkit developed by the company Hacking Team as a method of persistence for remote access software.[[Citation: TrendMicro Hacking Team UEFI]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0047", "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/" ] }, "uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8", "name": "Hacking Team UEFI Rootkit" }, { "description": "httpclient is malware used by Putter Panda. It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool.[[Citation: CrowdStrike Putter Panda]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0068", "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" ] }, "uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", "name": "httpclient" }, { "description": "Downdelph is a first-stage downloader written in Delphi that has been used by APT28 in rare instances between 2013 and 2015.[[Citation: ESET Sednit Part 3]]\n\nAliases: Downdelph, Delphacy", "meta": { "synonyms": [ "Downdelph", "Delphacy" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0134", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" ] }, "uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", "name": "Downdelph" }, { "description": "StreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites.[[Citation: Cylance Shell Crew Feb 2017]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0142", "https://www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" ] }, "uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", "name": "StreamEx" }, { "description": "Psylo is a shellcode-based Trojan that has been used by Scarlet Mimic. It has similar characteristics as FakeM.[[Citation: Scarlet Mimic Jan 2016]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0078", "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" ] }, "uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", "name": "Psylo" }, { "description": "HDoor is malware that has been customized and used by the Naikon group.[[Citation: Baumgartner Naikon 2015]]\n\nAliases: HDoor, Custom HDoor", "meta": { "synonyms": [ "HDoor", "Custom HDoor" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0061", "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" ] }, "uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b", "name": "HDoor" }, { "description": "TinyZBot is a bot written in C# that was developed by Cleaver.[[Citation: Cylance Cleaver]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0004", "http://www.cylance.com/assets/Cleaver/Cylance%20Operation%20Cleaver%20Report.pdf" ] }, "uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", "name": "TinyZBot" }, { "description": "BACKSPACE is a backdoor used by APT30 that dates back to at least 2005.[[Citation: FireEye APT30]]\n\nAliases: BACKSPACE, Lecna", "meta": { "synonyms": [ "BACKSPACE", "Lecna" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0031", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ] }, "uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", "name": "BACKSPACE" }, { "description": "PinchDuke is malware that was used by APT29 from 2008 to 2010.[[Citation: F-Secure The Dukes]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0048", "https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf" ] }, "uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", "name": "PinchDuke" }, { "description": "CloudDuke is malware that was used by APT29 in 2015.[[Citation: F-Secure The Dukes]]\n\nAliases: CloudDuke, MiniDionis, CloudLook", "meta": { "synonyms": [ "CloudDuke", "MiniDionis", "CloudLook" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0054", "https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf" ] }, "uuid": "cbf646f1-7db5-4dc6-808b-0094313949df", "name": "CloudDuke" }, { "description": "WinMM is a full-featured, simple backdoor used by Naikon.[[Citation: Baumgartner Naikon 2015]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0059", "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" ] }, "uuid": "22addc7b-b39f-483d-979a-1b35147da5de", "name": "WinMM" }, { "description": "MobileOrder is a Trojan intended to compromise Android mobile devices. It has been used by Scarlet Mimic.[[Citation: Scarlet Mimic Jan 2016]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0079", "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" ] }, "uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", "name": "MobileOrder" }, { "description": "Sys10 is a backdoor that was used throughout 2013 by Naikon.[[Citation: Baumgartner Naikon 2015]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0060", "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" ] }, "uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", "name": "Sys10" }, { "description": "Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network.[[Citation: Symantec W32.Duqu]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0038", "https://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/w32%20duqu%20the%20precursor%20to%20the%20next%20stuxnet.pdf" ] }, "uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "name": "Duqu" }, { "description": "FakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic.[[Citation: Scarlet Mimic Jan 2016]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0076", "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" ] }, "uuid": "bb3c1098-d654-4620-bf40-694386d28921", "name": "FakeM" }, { "description": "SHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.[[Citation: FireEye APT30]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0028", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ] }, "uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a", "name": "SHIPSHAPE" }, { "description": "T9000 is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations.[[Citation: FireEye admin@338 March 2014]][[Citation: Palo Alto T9000 Feb 2016]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0098", "https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html", "http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/" ] }, "uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", "name": "T9000" }, { "description": "BS2005 is malware that was used by Ke3chang in spearphishing campaigns since at least 2011.[[Citation: Villeneuve et al 2014]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0014", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf" ] }, "uuid": "67fc172a-36fa-4a35-88eb-4ba730ed52a6", "name": "BS2005" }, { "description": "WEBC2 is a backdoor used by APT1 to retrieve a Web page from a predetermined C2 server.[[Citation: Mandiant APT1 Appendix]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0109", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip" ] }, "uuid": "1d808f62-cf63-4063-9727-ff6132514c22", "name": "WEBC2" }, { "description": "PlugX is a remote access tool (RAT) that uses modular plugins.[[Citation: Lastline PlugX Analysis]] It has been used by multiple threat groups.[[Citation: FireEye Clandestine Fox Part 2]][[Citation: New DragonOK]][[Citation: Dell TG-3390]]\n\nAliases: PlugX, Sogu, Kaba", "meta": { "synonyms": [ "PlugX", "Sogu", "Kaba" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0013", "https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html", "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", "http://labs.lastline.com/an-analysis-of-plugx", "http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/" ] }, "uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "name": "PlugX" }, { "description": "Misdat is a backdoor that was used by Dust Storm from 2010 to 2011.[[Citation: Cylance Dust Storm]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0083", "https://www.cylance.com/hubfs/2015%20cylance%20website/assets/operation-dust-storm/Op%20Dust%20Storm%20Report.pdf?t=1456259131512" ] }, "uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", "name": "Misdat" }, { "description": "Taidoor is malware that has been used since at least 2010, primarily to target Taiwanese government organizations.[[Citation: TrendMicro Taidoor]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0011", "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp%20the%20taidoor%20campaign.pdf" ] }, "uuid": "b143dfa4-e944-43ff-8429-bfffc308c517", "name": "Taidoor" }, { "description": "MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand.[[Citation: Palo Alto MoonWind March 2017]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0149", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" ] }, "uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", "name": "MoonWind" }, { "description": "Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims.[[Citation: Proofpoint Operation Transparent Tribe March 2016]]\n\nAliases: Crimson, MSIL/Crimson", "meta": { "synonyms": [ "Crimson", "MSIL/Crimson" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0115", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" ] }, "uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", "name": "Crimson" }, { "description": "Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan.[[Citation: Palo Alto Rover]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0090", "http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/" ] }, "uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", "name": "Rover" }, { "description": "ZLib is a full-featured backdoor that was used as a second-stage implant by Dust Storm from 2014 to 2015. It is malware and should not be confused with the compression library from which its name is derived.[[Citation: Cylance Dust Storm]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0086", "https://www.cylance.com/hubfs/2015%20cylance%20website/assets/operation-dust-storm/Op%20Dust%20Storm%20Report.pdf?t=1456259131512" ] }, "uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", "name": "ZLib" }, { "description": "PowerDuke is a backdoor that was used by APT29 in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros.[[Citation: Volexity PowerDuke November 2016]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0139", "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" ] }, "uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", "name": "PowerDuke" }, { "description": "HTTPBrowser is malware that has been used by several threat groups.[[Citation: ThreatStream Evasion Analysis]][[Citation: Dell TG-3390]] It is believed to be of Chinese origin.[[Citation: ThreatConnect Anthem]]\n\nAliases: HTTPBrowser, Token Control, HttpDump", "meta": { "synonyms": [ "HTTPBrowser", "Token Control", "HttpDump" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0070", "https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop", "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/" ] }, "uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", "name": "HTTPBrowser" }, { "description": "HAMMERTOSS is a backdoor that was used by APT29 in 2015.[[Citation: FireEye APT29]][[Citation: F-Secure The Dukes]]\n\nAliases: HAMMERTOSS, HammerDuke, NetDuke", "meta": { "synonyms": [ "HAMMERTOSS", "HammerDuke", "NetDuke" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0037", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf", "https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf" ] }, "uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", "name": "HAMMERTOSS" }, { "description": "PoisonIvy is a popular remote access tool (RAT) that has been used by many groups.[[Citation: FireEye Poison Ivy]]\n\nAliases: PoisonIvy, Poison Ivy", "meta": { "synonyms": [ "PoisonIvy", "Poison Ivy" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0012", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf" ] }, "uuid": "b42378e0-f147-496f-992a-26a49705395b", "name": "PoisonIvy" }, { "description": "Carbanak is a remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines.[[Citation: Kaspersky Carbanak]]\n\nAliases: Carbanak, Anunak", "meta": { "synonyms": [ "Carbanak", "Anunak" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0030", "https://securelist.com/files/2015/02/Carbanak%20APT%20eng.pdf" ] }, "uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", "name": "Carbanak" }, { "description": "Ixeshe is a malware family that has been used since 2009 to attack targets in East Asia.[[Citation: Moran 2013]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0015", "https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html" ] }, "uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06", "name": "Ixeshe" }, { "description": "BADNEWS is malware that has been used by the actors responsible for the MONSOON campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control.[[Citation: Forcepoint Monsoon]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0128", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" ] }, "uuid": "e9595678-d269-469e-ae6b-75e49259de63", "name": "BADNEWS" }, { "description": "Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries.[[Citation: Kaspersky Flame]]\n\nAliases: Flame, Flamer, sKyWIper", "meta": { "synonyms": [ "Flame", "Flamer", "sKyWIper" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0143", "https://securelist.com/blog/incidents/34344/the-flame-questions-and-answers-51/" ] }, "uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", "name": "Flame" }, { "description": "RIPTIDE is a proxy-aware backdoor used by APT12.[[Citation: Moran 2014]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0003", "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" ] }, "uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", "name": "RIPTIDE" }, { "description": "CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality.[[Citation: F-Secure The Dukes]]\n\nAliases: CozyCar, CozyDuke, CozyBear, Cozer, EuroAPT", "meta": { "synonyms": [ "CozyCar", "CozyDuke", "CozyBear", "Cozer", "EuroAPT" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0046", "https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf" ] }, "uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", "name": "CozyCar" }, { "description": "Mivast is a backdoor that has been used by Deep Panda. It was reportedly used in the Anthem breach.[[Citation: Symantec Black Vine]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0080", "http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/the-black-vine-cyberespionage-group.pdf" ] }, "uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", "name": "Mivast" }, { "description": "Cherry Picker is a point of sale (PoS) memory scraper.[[Citation: Trustwave Cherry Picker]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0107", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/" ] }, "uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe", "name": "Cherry Picker" }, { "description": "XTunnel a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by APT28 during the compromise of the Democratic National Committee.[[Citation: Crowdstrike DNC June 2016]][[Citation: Invincea XTunnel]][[Citation: ESET Sednit Part 2]]\n\nAliases: XTunnel, X-Tunnel, XAPS", "meta": { "synonyms": [ "XTunnel", "X-Tunnel", "XAPS" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0117", "https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" ] }, "uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", "name": "XTunnel" }, { "description": "GeminiDuke is malware that was used by APT29 from 2009 to 2012.[[Citation: F-Secure The Dukes]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0049", "https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf" ] }, "uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", "name": "GeminiDuke" }, { "description": "Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015.[[Citation: Dell Sakula]]\n\nAliases: Sakula, Sakurel, VIPER", "meta": { "synonyms": [ "Sakula", "Sakurel", "VIPER" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0074", "http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/" ] }, "uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", "name": "Sakula" }, { "description": "Agent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008.[[Citation: Securelist Agent.btz]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0092", "https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/" ] }, "uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", "name": "Agent.btz" }, { "description": "Prikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008.[[Citation: ESET Operation Groundbait]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0113", "http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" ] }, "uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "name": "Prikormka" }, { "description": "NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.”[[Citation: FireEye APT30]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0034", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ] }, "uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", "name": "NETEAGLE" }, { "description": "USBStealer is malware that has used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL.[[Citation: ESET Sednit USBStealer 2014]][[Citation: Kaspersky Sofacy]]\n\nAliases: USBStealer, USB Stealer, Win32/USBStealer", "meta": { "synonyms": [ "USBStealer", "USB Stealer", "Win32/USBStealer" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0136", "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/", "http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/" ] }, "uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "name": "USBStealer" }, { "description": "CALENDAR is malware used by APT1 that mimics legitimate Gmail Calendar traffic.[[Citation: Mandiant APT1]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0025", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" ] }, "uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283", "name": "CALENDAR" }, { "description": "Regin is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some Regin timestamps date back to 2003.[[Citation: Kaspersky Regin]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0019", "https://securelist.com/files/2014/11/Kaspersky%20Lab%20whitepaper%20Regin%20platform%20eng.pdf" ] }, "uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", "name": "Regin" }, { "description": "AutoIt is a backdoor that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352.[[Citation: Forcepoint Monsoon]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0129", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" ] }, "uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", "name": "AutoIt" }, { "description": "Pteranodon is a custom backdoor used by Gamaredon Group.[[Citation: Palo Alto Gamaredon Feb 2017]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0147", "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" ] }, "uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", "name": "Pteranodon" }, { "description": "RARSTONE is malware used by the Naikon group that has some characteristics similar to PlugX.[[Citation: Aquino RARSTONE]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0055", "http://blog.trendmicro.com/trendlabs-security-intelligence/rarstone-found-in-targeted-attacks/" ] }, "uuid": "8c553311-0baa-4146-997a-f79acef3d831", "name": "RARSTONE" }, { "description": "SHOTPUT is a custom backdoor used by APT3.[[Citation: FireEye Clandestine Wolf]]\n\nAliases: SHOTPUT, Backdoor.APT.CookieCutter, Pirpi", "meta": { "synonyms": [ "SHOTPUT", "Backdoor.APT.CookieCutter", "Pirpi" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0063", "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html" ] }, "uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", "name": "SHOTPUT" }, { "description": "Trojan.Karagany is a backdoor primarily used for recon. The source code for it was leaked in 2010 and it is sold on underground forums.[[Citation: Symantec Dragonfly]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0094", "http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/Dragonfly%20Threat%20Against%20Western%20Energy%20Suppliers.pdf" ] }, "uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", "name": "Trojan.Karagany" }, { "description": "Kasidet is a backdoor that has been dropped by using malicious VBA macros.[[Citation: Zscaler Kasidet]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0088", "http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html" ] }, "uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", "name": "Kasidet" }, { "description": "CHOPSTICK is malware family of modular backdoors used by APT28. It has been used from at least November 2012 to August 2016 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases.[[Citation: FireEye APT28]][[Citation: ESET Sednit Part 2]][[Citation: FireEye APT28 January 2017]]\n\nAliases: CHOPSTICK, SPLM, Xagent, X-Agent, webhp", "meta": { "synonyms": [ "CHOPSTICK", "SPLM", "Xagent", "X-Agent", "webhp" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0023", "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" ] }, "uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", "name": "CHOPSTICK" }, { "description": "MiniDuke is malware that was used by APT29 from 2010 to 2015. The MiniDuke toolset consists of multiple downloader and backdoor components. The loader has been used with other MiniDuke components as well as in conjunction with CosmicDuke and PinchDuke.[[Citation: F-Secure The Dukes]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0051", "https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf" ] }, "uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", "name": "MiniDuke" }, { "description": "BBSRAT is malware with remote access tool functionality that has been used in targeted compromises.[[Citation: Palo Alto Networks BBSRAT]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0127", "http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/" ] }, "uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", "name": "BBSRAT" }, { "description": "Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of\ntools referred to as LStudio, ST Group, and APT0LSTU.[[Citation: Lotus Blossom Jun 2015]]\n\nAliases: Elise, BKDR_ESILE, Page", "meta": { "synonyms": [ "Elise", "BKDR_ESILE", "Page" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0081", "https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html" ] }, "uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", "name": "Elise" }, { "description": "BISCUIT is a backdoor that has been used by APT1 since as early as 2007.[[Citation: Mandiant APT1]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0017", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" ] }, "uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda", "name": "BISCUIT" }, { "description": "Uroburos is a rootkit used by Turla.[[Citation: Kaspersky Turla]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0022", "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/" ] }, "uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", "name": "Uroburos" }, { "description": "POWERSOURCE is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped.[[Citation: FireEye FIN7 March 2017]][[Citation: Cisco DNSMessenger March 2017]]\n\nAliases: POWERSOURCE, DNSMessenger", "meta": { "synonyms": [ "POWERSOURCE", "DNSMessenger" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0145", "https://www.fireeye.com/blog/threat-research/2017/03/fin7%20spear%20phishing.html", "http://blog.talosintelligence.com/2017/03/dnsmessenger.html" ] }, "uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", "name": "POWERSOURCE" }, { "description": "hcdLoader is a remote access tool (RAT) that has been used by APT18.[[Citation: Dell Lateral Movement]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0071", "http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/" ] }, "uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e", "name": "hcdLoader" }, { "description": "Zeroaccess is a kernel-mode Rootkit that attempts to add victims to the ZeroAccess botnet, often for monetary gain.[[Citation: Sophos ZeroAccess]]\n\nAliases: Zeroaccess, Trojan.Zeroaccess", "meta": { "synonyms": [ "Zeroaccess", "Trojan.Zeroaccess" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0027", "https://sophosnews.files.wordpress.com/2012/04/zeroaccess2.pdf" ] }, "uuid": "552462b9-ae79-49dd-855c-5973014e157f", "name": "Zeroaccess" }, { "description": "Skeleton Key is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password.Skeleton Key is included as a module in Mimikatz.", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0007", "http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/" ] }, "uuid": "89f63ae4-f229-4a5c-95ad-6f22ed2b5c49", "name": "Skeleton Key" }, { "description": "Shamoon is malware that was first used by an Iranian group known as the \"Cutting Sword of Justice\" in 2012. The 2.0 version was seen in 2016 targeting Middle Eastern states.[[Citation: FireEye Shamoon Nov 2016]][[Citation: Palo Alto Shamoon Nov 2016]]\n\nAliases: Shamoon, Disttrack", "meta": { "synonyms": [ "Shamoon", "Disttrack" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0140", "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/", "https://www.fireeye.com/blog/threat-research/2016/11/fireeye%20respondsto.html" ] }, "uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", "name": "Shamoon" }, { "description": "4H RAT is malware that has been used by Putter Panda since at least 2007.[[Citation: CrowdStrike Putter Panda]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0065", "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" ] }, "uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", "name": "4H RAT" }, { "description": "BOOTRASH is a Bootkit that targets Windows operating systems. It has been used by threat actors that target the financial sector.[[Citation: MTrends 2016]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0114", "https://www.fireeye.com/content/dam/fireeye-www/regional/fr%20FR/offers/pdfs/ig-mtrends-2016.pdf" ] }, "uuid": "da2ef4a9-7cbe-400a-a379-e2f230f28db3", "name": "BOOTRASH" }, { "description": "China Chopper is a Threat Group-3390.[[Citation: Dell TG-3390]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0020", "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html" ] }, "uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", "name": "China Chopper" }, { "description": "Wiper is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies.[[Citation: Dell Wiper]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0041", "http://www.secureworks.com/cyber-threat-intelligence/threats/wiper-malware-analysis-attacking-korean-financial-sector/" ] }, "uuid": "a19c49aa-36fe-4c05-b817-23e1c7a7d085", "name": "Wiper" }, { "description": "Unknown Logger is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign.[[Citation: Forcepoint Monsoon]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0130", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" ] }, "uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", "name": "Unknown Logger" }, { "description": "gh0st is a remote access tool (RAT). The source code is public and it has been used by many groups.[[Citation: FireEye Hacking Team]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0032", "https://www.fireeye.com/blog/threat-research/2015/07/demonstrating%20hustle.html" ] }, "uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", "name": "gh0st" }, { "description": "CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL. It has also been referred to as Sofacy, though that term has been used widely to refer to both the group APT28 and malware families associated with the group.[[Citation: FireEye APT28]][[Citation: FireEye APT28 January 2017]]\n\nAliases: CORESHELL, SOURFACE", "meta": { "synonyms": [ "CORESHELL", "SOURFACE" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0137", "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" ] }, "uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", "name": "CORESHELL" }, { "description": "Remsec is a modular backdoor that has been used by Strider and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua.[[Citation: Symantec Strider Blog]]\n\nAliases: Remsec, Backdoor.Remsec, ProjectSauron", "meta": { "synonyms": [ "Remsec", "Backdoor.Remsec", "ProjectSauron" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0125", "http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets" ] }, "uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "name": "Remsec" }, { "description": "FLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.[[Citation: FireEye APT30]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0036", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ] }, "uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", "name": "FLASHFLOOD" }, { "description": "TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm.[[Citation: Forcepoint Monsoon]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0131", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" ] }, "uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", "name": "TINYTYPHON" }, { "description": "SeaDuke is malware that was used by APT29 from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with CozyCar.[[Citation: F-Secure The Dukes]]\n\nAliases: SeaDuke, SeaDaddy, SeaDesk", "meta": { "synonyms": [ "SeaDuke", "SeaDaddy", "SeaDesk" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0053", "https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf" ] }, "uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", "name": "SeaDuke" }, { "description": "ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase.[[Citation: Kaspersky Sofacy]][[Citation: ESET Sednit Part 2]]\n\nAliases: ADVSTORESHELL, NETUI, EVILTOSS, AZZY, Sedreco", "meta": { "synonyms": [ "ADVSTORESHELL", "NETUI", "EVILTOSS", "AZZY", "Sedreco" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0045", "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" ] }, "uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "name": "ADVSTORESHELL" }, { "description": "S-Type is a backdoor that was used by Dust Storm from 2013 to 2014.[[Citation: Cylance Dust Storm]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0085", "https://www.cylance.com/hubfs/2015%20cylance%20website/assets/operation-dust-storm/Op%20Dust%20Storm%20Report.pdf?t=1456259131512" ] }, "uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", "name": "S-Type" }, { "description": "NetTraveler is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013.[[Citation: Kaspersky NetTraveler]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0033", "http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf" ] }, "uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e", "name": "NetTraveler" }, { "description": "Dyre is a Trojan that usually targets banking information.[[Citation: Raff 2015]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0024", "http://www.seculert.com/blogs/new-dyre-version-yet-another-malware-evading-sandboxes" ] }, "uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe", "name": "Dyre" }, { "description": "P2P ZeuS is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture.[[Citation: Dell P2P ZeuS]]\n\nAliases: P2P ZeuS, Peer-to-Peer ZeuS, Gameover ZeuS", "meta": { "synonyms": [ "P2P ZeuS", "Peer-to-Peer ZeuS", "Gameover ZeuS" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0016", "http://www.secureworks.com/cyber-threat-intelligence/threats/The%20Lifecycle%20of%20Peer%20to%20Peer%20Gameover%20ZeuS/" ] }, "uuid": "b2c5d3ca-b43a-4888-ad8d-e2d43497bf85", "name": "P2P ZeuS" }, { "description": "ComRAT is a remote access tool suspected of being a decedent of Agent.btz and used by Turla.[[Citation: Symantec Waterbug]][[Citation: NorthSec 2015 GData Uroburos Tools]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0126", "http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/waterbug-attack-group.pdf", "https://www.nsec.io/wp-content/uploads/2015/05/uroburos-actors-tools-1.1.pdf" ] }, "uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565", "name": "ComRAT" }, { "description": "Winnti is a Trojan that has been used by multiple groups to carry out intrusions in varied regions from at least 2010 to 2016. One of the groups using this malware is referred to by the same name, Winnti Group; however, reporting indicates a second distinct group, Axiom, also uses the malware.[[Citation: Kaspersky Winnti April 2013]][[Citation: Microsoft Winnti Jan 2017]][[Citation: Novetta Winnti April 2015]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0141", "http://www.novetta.com/wp-content/uploads/2015/04/novetta%20winntianalysis.pdf", "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/", "https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf" ] }, "uuid": "d3afa961-a80c-4043-9509-282cdf69ab21", "name": "Winnti" }, { "description": "RTM is custom malware written in Delphi. It is used by the group of the same name (RTM).[[Citation: ESET RTM Feb 2017]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0148", "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" ] }, "uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "name": "RTM" }, { "description": "CallMe is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell.[[Citation: Scarlet Mimic Jan 2016]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0077", "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" ] }, "uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", "name": "CallMe" }, { "description": "HIDEDRV is a rootkit used by APT28. It has been deployed along with Downdelph to execute and hide that malware.[[Citation: ESET Sednit Part 3]][[Citation: Sekoia HideDRV Oct 2016]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0135", "http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" ] }, "uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4", "name": "HIDEDRV" }, { "description": "Mis-Type is a backdoor hybrid that was used by Dust Storm in 2012.[[Citation: Cylance Dust Storm]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0084", "https://www.cylance.com/hubfs/2015%20cylance%20website/assets/operation-dust-storm/Op%20Dust%20Storm%20Report.pdf?t=1456259131512" ] }, "uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", "name": "Mis-Type" }, { "description": "Hikit is malware that has been used by Axiom for late-stage [[persistence]] and [[exfiltration]] after the initial compromise.[[Citation: Axiom]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0009", "http://www.novetta.com/wp-content/uploads/2014/11/Executive%20Summary-Final%201.pdf" ] }, "uuid": "95047f03-4811-4300-922e-1ba937d53a61", "name": "Hikit" }, { "description": "ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version.[[Citation: Dell TG-3390]]\n\nAliases: ASPXSpy, ASPXTool", "meta": { "synonyms": [ "ASPXSpy", "ASPXTool" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0073", "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/" ] }, "uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", "name": "ASPXSpy" }, { "description": "Sykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims.[[Citation: Alienvault Sykipot DOD Smart Cards]] The group using this malware has also been referred to as Sykipot.[[Citation: Blasco 2013]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0018", "http://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments", "https://www.alienvault.com/open-threat-exchange/blog/sykipot-variant-hijacks-dod-and-windows-smart-cards" ] }, "uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", "name": "Sykipot" }, { "description": "GLOOXMAIL is malware used by APT1 that mimics legitimate Jabber/XMPP traffic.[[Citation: Mandiant APT1]]\n\nAliases: GLOOXMAIL, Trojan.GTALK", "meta": { "synonyms": [ "GLOOXMAIL", "Trojan.GTALK" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0026", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" ] }, "uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2", "name": "GLOOXMAIL" }, { "description": "Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio.[[Citation: Lotus Blossom Dec 2015]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0082", "http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/" ] }, "uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", "name": "Emissary" }, { "description": "Miner-C is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread.[[Citation: Softpedia MinerC]]\n\nAliases: Miner-C, Mal/Miner-C, PhotoMiner", "meta": { "synonyms": [ "Miner-C", "Mal/Miner-C", "PhotoMiner" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0133", "http://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml" ] }, "uuid": "17dec760-9c8f-4f1b-9b4b-0ac47a453234", "name": "Miner-C" }, { "description": "DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015.[[Citation: DustySky]][[Citation: DustySky2]]\n\nAliases: DustySky, NeD Worm", "meta": { "synonyms": [ "DustySky", "NeD Worm" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0062", "http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2%20-6.2016%20TLP%20White.pdf" ] }, "uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", "name": "DustySky" }, { "description": "BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities.[[Citation: FireEye admin@338]]\n\nAliases: BUBBLEWRAP, Backdoor.APT.FakeWinHTTPHelper", "meta": { "synonyms": [ "BUBBLEWRAP", "Backdoor.APT.FakeWinHTTPHelper" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0043", "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" ] }, "uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", "name": "BUBBLEWRAP" }, { "description": "pngdowner is malware used by Putter Panda. It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple \"download-and-\nexecute\" utility.[[Citation: CrowdStrike Putter Panda]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0067", "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" ] }, "uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d", "name": "pngdowner" }, { "description": "SslMM is a full-featured backdoor used by Naikon that has multiple variants.[[Citation: Baumgartner Naikon 2015]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0058", "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" ] }, "uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", "name": "SslMM" }, { "description": "Nidiran is a custom backdoor developed and used by Suckfly. It has been delivered via strategic web compromise.[[Citation: Symantec Suckfly March 2016]]\n\nAliases: Nidiran, Backdoor.Nidiran", "meta": { "synonyms": [ "Nidiran", "Backdoor.Nidiran" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0118", "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates" ] }, "uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", "name": "Nidiran" }, { "description": "Trojan.Mebromi is BIOS-level malware that takes control of the victim before MBR.[[Citation: Ge 2011]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0001", "http://www.symantec.com/connect/blogs/bios-threat-showing-again" ] }, "uuid": "c5e9cb46-aced-466c-85ea-7db5572ad9ec", "name": "Trojan.Mebromi" }, { "description": "OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by Threat Group-3390.[[Citation: Dell TG-3390]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0072", "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/" ] }, "uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", "name": "OwaAuth" }, { "description": "ROCKBOOT is a Bootkit that has been used by an unidentified, suspected China-based group.[[Citation: FireEye Bootkits]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0112", "https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html" ] }, "uuid": "cba78a1c-186f-4112-9e6a-be1839f030f7", "name": "ROCKBOOT" }, { "description": "OnionDuke is malware that was used by APT29 from 2013 to 2015.[[Citation: F-Secure The Dukes]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0052", "https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf" ] }, "uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", "name": "OnionDuke" }, { "description": "LOWBALL is malware used by admin@338. It was used in August 2015 in email messages targeting Hong Kong-based media organizations.[[Citation: FireEye admin@338]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0042", "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" ] }, "uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", "name": "LOWBALL" }, { "description": "BLACKCOFFEE is malware that has been used by APT17 since at least 2013.[[Citation: FireEye APT17]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0069", "https://www2.fireeye.com/rs/fireye/images/APT17%20Report.pdf" ] }, "uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", "name": "BLACKCOFFEE" }, { "description": "Derusbi is malware used by multiple Chinese APT groups.[[Citation: Axiom]][[Citation: ThreatConnect Anthem]] Both Windows and Linux variants have been observed.[[Citation: Fidelis Turbo]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0021", "http://www.novetta.com/wp-content/uploads/2014/11/Executive%20Summary-Final%201.pdf", "https://www.fidelissecurity.com/sites/default/files/TA%20Fidelis%20Turbo%201602%200.pdf", "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/" ] }, "uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "name": "Derusbi" }, { "description": "Epic is a backdoor that has been used by Turla.[[Citation: Kaspersky Turla]]\n\nAliases: Epic, Tavdig, Wipbot, WorldCupSec, TadjMakhal", "meta": { "synonyms": [ "Epic", "Tavdig", "Wipbot", "WorldCupSec", "TadjMakhal" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0091", "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/" ] }, "uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", "name": "Epic" }, { "description": "Lurid is a malware family that has been used by several groups, including PittyTiger, in targeted attacks as far back as 2006.[[Citation: Villeneuve 2014]][[Citation: Villeneuve 2011]]\n\nAliases: Lurid, Enfal", "meta": { "synonyms": [ "Lurid", "Enfal" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0010", "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp%20dissecting-lurid-apt.pdf", "https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html" ] }, "uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad", "name": "Lurid" }, { "description": "3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda.[[Citation: CrowdStrike Putter Panda]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0066", "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" ] }, "uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", "name": "3PARA RAT" }, { "description": "JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware.[[Citation: Kaspersky Sofacy]][[Citation: F-Secure Sofacy 2015]][[Citation: ESET Sednit Part 1]][[Citation: FireEye APT28 January 2017]]\n\nAliases: JHUHUGIT, Seduploader, JKEYSKW, Sednit, GAMEFISH", "meta": { "synonyms": [ "JHUHUGIT", "Seduploader", "JKEYSKW", "Sednit", "GAMEFISH" ], "refs": [ "https://attack.mitre.org/wiki/Software/S0044", "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/", "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/" ] }, "uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", "name": "JHUHUGIT" }, { "description": "ELMER is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by APT16.[[Citation: FireEye EPS Awakens Part 2]]", "meta": { "refs": [ "https://attack.mitre.org/wiki/Software/S0064", "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" ] }, "uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", "name": "ELMER" } ], "version": "1", "name": "Malware" }