{ "authors": [ "MITRE" ], "category": "tool", "description": "Name of ATT&CK software", "name": "Malware", "source": "https://github.com/mitre/cti", "type": "mitre-malware", "uuid": "d752161c-78f6-11e7-a0ea-bfa79b407ce4", "values": [ { "description": "[Hacking Team UEFI Rootkit](https://attack.mitre.org/software/S0047) is a rootkit developed by the company Hacking Team as a method of persistence for remote access software. (Citation: TrendMicro Hacking Team UEFI)", "meta": { "external_id": "S0047", "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/", "https://attack.mitre.org/software/S0047" ], "synonyms": [ "Hacking Team UEFI Rootkit" ] }, "related": [ { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", "type": "uses" } ], "uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8", "value": "Hacking Team UEFI Rootkit - S0047" }, { "description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the [CHOPSTICK](https://attack.mitre.org/software/S0023).", "meta": { "external_id": "S0314", "refs": [ "https://attack.mitre.org/software/S0314", "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf" ] }, "related": [ { "dest-uuid": "0a32ceea-fa66-47ab-8bde-150dbd6d2e40", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "3e2c99f9-66cd-48be-86e9-d7c1c164d87c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" } ], "uuid": "56660521-6db4-4e5a-a927-464f22954b7c", "value": "X-Agent for Android - S0314" }, { "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) is a banking trojan that masquerades as a VPN client.(Citation: Sophos Red Alert 2.0) ", "meta": { "external_id": "S0539", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0539", "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/" ], "synonyms": [ "Red Alert 2.0" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "948a447c-d783-4ba0-8516-a64140fcacd5", "type": "uses" }, { "dest-uuid": "986f80f7-ff0e-4f48-87bd-0394814bbce5", "type": "uses" }, { "dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" } ], "uuid": "6e282bbf-5f32-476a-b879-ba77eec463c8", "value": "Red Alert 2.0 - S0539" }, { "description": "[Exaramel for Linux](https://attack.mitre.org/software/S0401) is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under [Exaramel for Windows](https://attack.mitre.org/software/S0343).(Citation: ESET TeleBots Oct 2018)", "meta": { "external_id": "S0401", "mitre_platforms": [ "Linux" ], "refs": [ "https://attack.mitre.org/software/S0401", "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" ], "synonyms": [ "Exaramel for Linux" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", "type": "uses" }, { "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" } ], "uuid": "11194d8b-fdce-45d2-8047-df15bb8f16bd", "value": "Exaramel for Linux - S0401" }, { "description": "[Winnti for Linux](https://attack.mitre.org/software/S0430) is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including [Winnti Group](https://attack.mitre.org/groups/G0044). The Windows variant is tracked separately under [Winnti for Windows](https://attack.mitre.org/software/S0141).(Citation: Chronicle Winnti for Linux May 2019)", "meta": { "external_id": "S0430", "mitre_platforms": [ "Linux" ], "refs": [ "https://attack.mitre.org/software/S0430", "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a" ], "synonyms": [ "Winnti for Linux" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "8787e86d-8475-4f13-acea-d33eb83b6105", "value": "Winnti for Linux - S0430" }, { "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) is a malicious iOS application that is capable of gathering system information.(Citation: TrendMicro-XLoader-FakeSpy) It is tracked separately from the [XLoader for Android](https://attack.mitre.org/software/S0318).", "meta": { "external_id": "S0490", "mitre_platforms": [ "iOS" ], "refs": [ "https://attack.mitre.org/software/S0490", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/" ], "synonyms": [ "XLoader for iOS" ] }, "related": [ { "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", "type": "uses" } ], "uuid": "29944858-da52-4d3d-b428-f8a6eb8dde6f", "value": "XLoader for iOS - S0490" }, { "description": "[Winnti for Windows](https://attack.mitre.org/software/S0141) is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: Kaspersky Winnti April 2013)(Citation: Microsoft Winnti Jan 2017)(Citation: Novetta Winnti April 2015)(Citation: 401 TRG Winnti Umbrella May 2018). The Linux variant is tracked separately under [Winnti for Linux](https://attack.mitre.org/software/S0430).(Citation: Chronicle Winnti for Linux May 2019)", "meta": { "external_id": "S0141", "mitre_platforms": [ "Windows" ], "refs": [ "https://401trg.github.io/pages/burning-umbrella.html", "https://attack.mitre.org/software/S0141", "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/", "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a", "https://securelist.com/winnti-more-than-just-a-game/37029/", "https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf" ], "synonyms": [ "Winnti for Windows" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9b3a4cff-1c5a-4fd6-b49c-27240b6d622c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f244b8dd-af6c-4391-a497-fc03627ce995", "type": "uses" }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" } ], "uuid": "d3afa961-a80c-4043-9509-282cdf69ab21", "value": "Winnti for Windows - S0141" }, { "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) is the Android version of malware that has reportedly been linked to the NSO Group. (Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor) The iOS version is tracked separately under [Pegasus for iOS](https://attack.mitre.org/software/S0289).", "meta": { "external_id": "S0316", "mitre_platforms": [ "Android" ], "refs": [ "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", "https://attack.mitre.org/software/S0316", "https://blog.lookout.com/blog/2017/04/03/pegasus-android/" ], "synonyms": [ "Pegasus for Android", "Chrysaor" ] }, "related": [ { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "type": "uses" }, { "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, { "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", "type": "uses" }, { "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "type": "uses" }, { "dest-uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "9d7c772b-43f1-49cf-bc70-7a7cd2ed34c8", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a9fa0d30-a8ff-45bf-922e-7720da0b7922", "type": "uses" }, { "dest-uuid": "be63612f-a48f-44f2-a7a6-1763509fcf80", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "type": "uses" } ], "uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", "value": "Pegasus for Android - S0316" }, { "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.(Citation: TrendMicro-XLoader-FakeSpy)(Citation: TrendMicro-XLoader) It is tracked separately from the [XLoader for iOS](https://attack.mitre.org/software/S0490).", "meta": { "external_id": "S0318", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0318", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/", "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/" ], "synonyms": [ "XLoader for Android" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "986f80f7-ff0e-4f48-87bd-0394814bbce5", "type": "uses" }, { "dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" } ], "uuid": "2740eaf6-2db2-4a40-a63f-f5b166c7059c", "value": "XLoader for Android - S0318" }, { "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims.(Citation: Lookout-Pegasus)(Citation: PegasusCitizenLab) The Android version is tracked separately under [Pegasus for Android](https://attack.mitre.org/software/S0316).", "meta": { "external_id": "S0289", "mitre_platforms": [ "iOS" ], "refs": [ "https://attack.mitre.org/software/S0289", "https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/", "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf" ], "synonyms": [ "Pegasus for iOS" ] }, "related": [ { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "type": "uses" }, { "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "type": "uses" }, { "dest-uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "5abfc5e6-3c56-49e7-ad72-502d01acf28b", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "9d7c772b-43f1-49cf-bc70-7a7cd2ed34c8", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb", "type": "uses" }, { "dest-uuid": "defc1257-4db1-4fb3-8ef5-bb77f63146df", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "type": "uses" }, { "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", "type": "uses" } ], "uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", "value": "Pegasus for iOS - S0289" }, { "description": "[Exaramel for Windows](https://attack.mitre.org/software/S0343) is a backdoor used for targeting Windows systems. The Linux version is tracked separately under [Exaramel for Linux](https://attack.mitre.org/software/S0401).(Citation: ESET TeleBots Oct 2018)", "meta": { "external_id": "S0343", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0343", "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" ], "synonyms": [ "Exaramel for Windows" ] }, "related": [ { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" } ], "uuid": "051eaca1-958f-4091-9e5f-a9acd8f820b5", "value": "Exaramel for Windows - S0343" }, { "description": "[P.A.S. Webshell](https://attack.mitre.org/software/S0598) is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.(Citation: ANSSI Sandworm January 2021)", "meta": { "external_id": "S0598", "mitre_platforms": [ "Linux", "Windows" ], "refs": [ "https://attack.mitre.org/software/S0598", "https://us-cert.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" ], "synonyms": [ "P.A.S. Webshell", "Fobushell" ] }, "related": [ { "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", "type": "uses" }, { "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "4800d0f9-00aa-47cd-a4d2-92198585b8fd", "value": "P.A.S. Webshell - S0598" }, { "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) is a remote access tool (RAT). The source code is public and it has been used by multiple groups.(Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb 2018)(Citation: Nccgroup Gh0st April 2018)", "meta": { "external_id": "S0032", "mitre_platforms": [ "Windows", "macOS" ], "refs": [ "https://attack.mitre.org/software/S0032", "https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/", "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", "https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/", "https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html" ], "synonyms": [ "gh0st RAT", "Mydoor", "Moudoor" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, { "dest-uuid": "1b1ae63f-bcee-4aba-8994-6c60cee5e16f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "29ba5a15-3b7b-4732-b817-65ea8f6468e6", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" } ], "uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", "value": "gh0st RAT - S0032" }, { "description": "[China Chopper](https://attack.mitre.org/software/S0020) is a [Web Shell](https://attack.mitre.org/techniques/T1505/003) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.(Citation: Lee 2013) It has been used by several threat groups.(Citation: Dell TG-3390)(Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)(Citation: Rapid7 HAFNIUM Mar 2021)", "meta": { "external_id": "S0020", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0020", "https://us-cert.cisa.gov/ncas/alerts/aa21-200a", "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/", "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" ], "synonyms": [ "China Chopper" ] }, "related": [ { "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", "value": "China Chopper - S0020" }, { "description": "[Skeleton Key](https://attack.mitre.org/software/S0007) is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password. (Citation: Dell Skeleton) Functionality similar to [Skeleton Key](https://attack.mitre.org/software/S0007) is included as a module in [Mimikatz](https://attack.mitre.org/software/S0002).", "meta": { "external_id": "S0007", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0007", "https://www.secureworks.com/research/skeleton-key-malware-analysis" ], "synonyms": [ "Skeleton Key" ] }, "related": [ { "dest-uuid": "d4b96d2c-1032-4b22-9235-2b5b649d0605", "type": "uses" } ], "uuid": "89f63ae4-f229-4a5c-95ad-6f22ed2b5c49", "value": "Skeleton Key - S0007" }, { "description": "[P2P ZeuS](https://attack.mitre.org/software/S0016) is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture. (Citation: Dell P2P ZeuS)", "meta": { "external_id": "S0016", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0016", "https://www.secureworks.com/research/The-Lifecycle-of-Peer-to-Peer-Gameover-ZeuS" ], "synonyms": [ "P2P ZeuS", "Peer-to-Peer ZeuS", "Gameover ZeuS" ] }, "related": [ { "dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade", "type": "uses" } ], "uuid": "b2c5d3ca-b43a-4888-ad8d-e2d43497bf85", "value": "P2P ZeuS - S0016" }, { "description": "[Unknown Logger](https://attack.mitre.org/software/S0130) is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign. (Citation: Forcepoint Monsoon)", "meta": { "external_id": "S0130", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0130", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" ], "synonyms": [ "Unknown Logger" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", "value": "Unknown Logger - S0130" }, { "description": "[Black Basta](https://attack.mitre.org/software/S1070) is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. [Black Basta](https://attack.mitre.org/software/S1070) operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. [Black Basta](https://attack.mitre.org/software/S1070) affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the [Black Basta](https://attack.mitre.org/software/S1070) RaaS operators could include current or former members of the [Conti](https://attack.mitre.org/software/S0575) group.(Citation: Palo Alto Networks Black Basta August 2022)(Citation: Deep Instinct Black Basta August 2022)(Citation: Minerva Labs Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Cyble Black Basta May 2022)", "meta": { "external_id": "S1070", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1070", "https://blog.cyble.com/2022/05/06/black-basta-ransomware/", "https://minerva-labs.com/blog/new-black-basta-ransomware-hijacks-windows-fax-service/", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware", "https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware", "https://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence" ], "synonyms": [ "Black Basta" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "28170e17-8384-415c-8486-2e6b294cb803", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "type": "uses" }, { "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "8d242fb4-9033-4f13-8a88-4b9b4bcd9a53", "value": "Black Basta - S1070" }, { "description": "[Cherry Picker](https://attack.mitre.org/software/S0107) is a point of sale (PoS) memory scraper. (Citation: Trustwave Cherry Picker)", "meta": { "external_id": "S0107", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0107", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/" ], "synonyms": [ "Cherry Picker" ] }, "related": [ { "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" } ], "uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe", "value": "Cherry Picker - S0107" }, { "description": "[Zeus Panda](https://attack.mitre.org/software/S0330) is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. [Zeus Panda](https://attack.mitre.org/software/S0330)’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)", "meta": { "external_id": "S0330", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0330", "https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html#More", "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf" ], "synonyms": [ "Zeus Panda" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", "type": "uses" } ], "uuid": "198db886-47af-4f4c-bff5-11b891f85946", "value": "Zeus Panda - S0330" }, { "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) (Remote Access Trojan) is a family of malicious Android apps. The [SpyNote RAT](https://attack.mitre.org/software/S0305) builder tool can be used to develop malicious apps with the malware's functionality. (Citation: Zscaler-SpyNote)", "meta": { "external_id": "S0305", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0305", "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app" ], "synonyms": [ "SpyNote RAT" ] }, "related": [ { "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" } ], "uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23", "value": "SpyNote RAT - S0305" }, { "description": "[3PARA RAT](https://attack.mitre.org/software/S0066) is a remote access tool (RAT) programmed in C++ that has been used by [Putter Panda](https://attack.mitre.org/groups/G0024). (Citation: CrowdStrike Putter Panda)", "meta": { "external_id": "S0066", "mitre_platforms": [ "Windows" ], "refs": [ "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf", "https://attack.mitre.org/software/S0066" ], "synonyms": [ "3PARA RAT" ] }, "related": [ { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "59fb0222-0e7d-4f5f-92ac-e68012fb927d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", "value": "3PARA RAT - S0066" }, { "description": "[Agent Smith](https://attack.mitre.org/software/S0440) is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 [Agent Smith](https://attack.mitre.org/software/S0440) had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.(Citation: CheckPoint Agent Smith)", "meta": { "external_id": "S0440", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0440", "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/" ], "synonyms": [ "Agent Smith" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "type": "uses" }, { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "type": "uses" }, { "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "type": "uses" }, { "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "type": "uses" }, { "dest-uuid": "d3bc5020-f6a2-41c0-8ccb-5e563101b60c", "type": "uses" }, { "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "type": "uses" }, { "dest-uuid": "fa801609-ca8e-415e-815e-65f3826ff4df", "type": "uses" } ], "uuid": "a6228601-03f6-4949-ae22-c1087627a637", "value": "Agent Smith - S0440" }, { "description": "[4H RAT](https://attack.mitre.org/software/S0065) is malware that has been used by [Putter Panda](https://attack.mitre.org/groups/G0024) since at least 2007. (Citation: CrowdStrike Putter Panda)", "meta": { "external_id": "S0065", "mitre_platforms": [ "Windows" ], "refs": [ "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf", "https://attack.mitre.org/software/S0065" ], "synonyms": [ "4H RAT" ] }, "related": [ { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d8aad68d-a68f-42e1-b755-d5f383b73401", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", "value": "4H RAT - S0065" }, { "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. [Desert Scorpion](https://attack.mitre.org/software/S0505) is suspected to have been operated by the threat actor APT-C-23.(Citation: Lookout Desert Scorpion) ", "meta": { "external_id": "S0505", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0505", "https://blog.lookout.com/desert-scorpion-google-play" ], "synonyms": [ "Desert Scorpion" ] }, "related": [ { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec", "type": "uses" }, { "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "type": "uses" }, { "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "type": "uses" }, { "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", "type": "uses" } ], "uuid": "3271c107-92c4-442e-9506-e76d62230ee8", "value": "Desert Scorpion - S0505" }, { "description": "[Net Crawler](https://attack.mitre.org/software/S0056) is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using [PsExec](https://attack.mitre.org/software/S0029) to execute a copy of [Net Crawler](https://attack.mitre.org/software/S0056). (Citation: Cylance Cleaver)", "meta": { "external_id": "S0056", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0056", "https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [ "Net Crawler", "NetC" ] }, "related": [ { "dest-uuid": "0bc03bfa-1439-4162-bb33-ec9f8f952ee5", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" } ], "uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", "value": "Net Crawler - S0056" }, { "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. [Bad Rabbit](https://attack.mitre.org/software/S0606) has also targeted organizations and consumers in Russia. (Citation: Secure List Bad Rabbit)(Citation: ESET Bad Rabbit)(Citation: Dragos IT ICS Ransomware) ", "meta": { "external_id": "S0606", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0606", "https://securelist.com/bad-rabbit-ransomware/82851/", "https://www.dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/", "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/" ], "synonyms": [ "Bad Rabbit", "Win32/Diskcoder.D" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f5bb433e-bdf6-4781-84bc-35e97e43be89", "type": "uses" } ], "uuid": "2eaa5319-5e1e-4dd7-bbc4-566fced3964a", "value": "Bad Rabbit - S0606" }, { "description": "[Green Lambert](https://attack.mitre.org/software/S0690) is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of [Green Lambert](https://attack.mitre.org/software/S0690) may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.(Citation: Kaspersky Lamberts Toolkit April 2017)(Citation: Objective See Green Lambert for OSX Oct 2021) ", "meta": { "external_id": "S0690", "mitre_platforms": [ "Windows", "iOS", "macOS", "Linux" ], "refs": [ "https://attack.mitre.org/software/S0690", "https://objective-see.com/blog/blog_0x68.html", "https://securelist.com/unraveling-the-lamberts-toolkit/77990/" ], "synonyms": [ "Green Lambert" ] }, "related": [ { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "1eaebf46-e361-4437-bc23-d5d65a3b92e3", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "84601337-6a55-4ad7-9c35-79e0d1ea2ab3", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", "type": "uses" }, { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "59c8a28c-200c-4565-9af1-cbdb24870ba0", "value": "Green Lambert - S0690" }, { "description": "[Saint Bot](https://attack.mitre.org/software/S1018) is a .NET downloader that has been used by [Ember Bear](https://attack.mitre.org/groups/G1003) since at least March 2021.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "meta": { "external_id": "S1018", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1018", "https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/", "https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2cd950a6-16c4-404a-aa01-044322395107", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "7724581b-06ff-4d2b-b77c-80dc8d53070b", "value": "Saint Bot - S1018" }, { "description": "[Heyoka Backdoor](https://attack.mitre.org/software/S1027) is a custom backdoor--based on the Heyoka open source exfiltration tool--that has been used by [Aoqin Dragon](https://attack.mitre.org/groups/G1007) since at least 2013.(Citation: SentinelOne Aoqin Dragon June 2022)(Citation: Sourceforge Heyoka 2022) ", "meta": { "external_id": "S1027", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1027", "https://heyoka.sourceforge.net/", "https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" ], "synonyms": [ "Heyoka Backdoor" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "dff90475-9f72-41a6-84ed-1fbefd3874c0", "value": "Heyoka Backdoor - S1027" }, { "description": "[Action RAT](https://attack.mitre.org/software/S1028) is a remote access tool written in Delphi that has been used by [SideCopy](https://attack.mitre.org/groups/G1008) since at least December 2021 against Indian and Afghani government personnel.(Citation: MalwareBytes SideCopy Dec 2021)", "meta": { "external_id": "S1028", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1028", "https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" ], "synonyms": [ "Action RAT" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "36801ffb-5c85-4c50-9121-6122e389366d", "value": "Action RAT - S1028" }, { "description": "[AutoIt backdoor](https://attack.mitre.org/software/S0129) is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. (Citation: Forcepoint Monsoon) This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.", "meta": { "external_id": "S0129", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0129", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" ], "synonyms": [ "AutoIt backdoor" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" } ], "uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", "value": "AutoIt backdoor - S0129" }, { "description": "[AuTo Stealer](https://attack.mitre.org/software/S1029) is malware written in C++ has been used by [SideCopy](https://attack.mitre.org/groups/G1008) since at least December 2021 to target government agencies and personnel in India and Afghanistan.(Citation: MalwareBytes SideCopy Dec 2021)", "meta": { "external_id": "S1029", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1029", "https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" ], "synonyms": [ "AuTo Stealer" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5", "value": "AuTo Stealer - S1029" }, { "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) is a spyware Trojan written for the .NET framework that has been observed since at least 2014.(Citation: Fortinet Agent Tesla April 2018)(Citation: Bitdefender Agent Tesla April 2020)(Citation: Malwarebytes Agent Tesla April 2020)", "meta": { "external_id": "S0331", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0331", "https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/", "https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html", "https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/", "https://www.digitrustgroup.com/agent-tesla-keylogger/", "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html" ], "synonyms": [ "Agent Tesla" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "494ab9f0-36e0-4b06-b10d-57285b040a06", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", "type": "uses" }, { "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "type": "uses" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "c48a67ee-b657-45c1-91bf-6cdbe27205f8", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" } ], "uuid": "e7a5229f-05eb-440e-b982-9a6d2b2b87c8", "value": "Agent Tesla - S0331" }, { "description": "[Small Sieve](https://attack.mitre.org/software/S1035) is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least January 2022.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: NCSC GCHQ Small Sieve Jan 2022)\n\nSecurity researchers have also noted [Small Sieve](https://attack.mitre.org/software/S1035)'s use by UNC3313, which may be associated with [MuddyWater](https://attack.mitre.org/groups/G0069).(Citation: Mandiant UNC3313 Feb 2022)", "meta": { "external_id": "S1035", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1035", "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf" ], "synonyms": [ "Small Sieve", "GRAMDOOR" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "ff41b9b6-4c1d-407b-a7e2-835109c8dbc5", "value": "Small Sieve - S1035" }, { "description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.(Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: cobaltstrike manual)", "meta": { "external_id": "S0154", "mitre_platforms": [ "Windows", "Linux", "macOS" ], "refs": [ "https://attack.mitre.org/software/S0154", "https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf" ], "synonyms": [ "Cobalt Strike" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", "type": "uses" }, { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "type": "uses" }, { "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", "type": "uses" }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "type": "uses" }, { "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "type": "uses" }, { "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "type": "uses" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", "type": "uses" }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "type": "uses" }, { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "type": "uses" }, { "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" }, { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "type": "uses" }, { "dest-uuid": "ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1", "type": "uses" } ], "uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "value": "Cobalt Strike - S0154" }, { "description": "[Ragnar Locker](https://attack.mitre.org/software/S0481) is a ransomware that has been in use since at least December 2019.(Citation: Sophos Ragnar May 2020)(Citation: Cynet Ragnar Apr 2020)", "meta": { "external_id": "S0481", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0481", "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", "https://www.cynet.com/blog/cynet-detection-report-ragnar-locker-ransomware/" ], "synonyms": [ "Ragnar Locker" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e69f9836-873a-43d3-92a8-97ab783a4171", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "54895630-efd2-4608-9c24-319de972a9eb", "value": "Ragnar Locker - S0481" }, { "description": " [Woody RAT](https://attack.mitre.org/software/S1065) is a remote access trojan (RAT) that has been used since at least August 2021 against Russian organizations.(Citation: MalwareBytes WoodyRAT Aug 2022)", "meta": { "external_id": "S1065", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1065", "https://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild" ], "synonyms": [ "Woody RAT" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "type": "uses" }, { "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "3bc7e862-5610-4c02-9c48-15b2e2dc1ddb", "value": "Woody RAT - S1065" }, { "description": "[SYNful Knock](https://attack.mitre.org/software/S0519) is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.(Citation: Mandiant - Synful Knock)(Citation: Cisco Synful Knock Evolution)", "meta": { "external_id": "S0519", "mitre_platforms": [ "Network" ], "refs": [ "https://attack.mitre.org/software/S0519", "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices", "https://www.mandiant.com/resources/synful-knock-acis" ], "synonyms": [ "SYNful Knock" ] }, "related": [ { "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", "type": "uses" }, { "dest-uuid": "d245808a-7086-4310-984a-a84aaaa43f8f", "type": "uses" }, { "dest-uuid": "fa44a152-ac48-441e-a524-dd7b04b8adcd", "type": "uses" } ], "uuid": "84c1ecc6-e5a2-4e8a-bf4b-651a618e0053", "value": "SYNful Knock - S0519" }, { "description": "[Power Loader](https://attack.mitre.org/software/S0177) is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)", "meta": { "external_id": "S0177", "refs": [ "https://attack.mitre.org/software/S0177", "https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html", "https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/" ] }, "related": [ { "dest-uuid": "0042a9f5-f053-4769-b3ef-9ad018dfa298", "type": "uses" } ], "uuid": "0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3", "value": "Power Loader - S0177" }, { "description": "[HUI Loader](https://attack.mitre.org/software/S1097) is a custom DLL loader that has been used since at least 2015 by China-based threat groups including [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) and [menuPass](https://attack.mitre.org/groups/G0045) to deploy malware on compromised hosts. [HUI Loader](https://attack.mitre.org/software/S1097) has been observed in campaigns loading [SodaMaster](https://attack.mitre.org/software/S0627), [PlugX](https://attack.mitre.org/software/S0013), [Cobalt Strike](https://attack.mitre.org/software/S0154), [Komplex](https://attack.mitre.org/software/S0162), and several strains of ransomware.(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)", "meta": { "external_id": "S1097", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1097", "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader" ], "synonyms": [ "HUI Loader" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", "type": "uses" } ], "uuid": "54089fba-8662-4f37-9a44-6ad25a5f630a", "value": "HUI Loader - S1097" }, { "description": "[Brave Prince](https://attack.mitre.org/software/S0252) is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to [Gold Dragon](https://attack.mitre.org/software/S0249), and was seen along with [Gold Dragon](https://attack.mitre.org/software/S0249) and [RunningRAT](https://attack.mitre.org/software/S0253) in operations surrounding the 2018 Pyeongchang Winter Olympics. (Citation: McAfee Gold Dragon)", "meta": { "external_id": "S0252", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0252", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" ], "synonyms": [ "Brave Prince" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" } ], "uuid": "28b97733-ef07-4414-aaa5-df50b2d30cc5", "value": "Brave Prince - S0252" }, { "description": "[Smoke Loader](https://attack.mitre.org/software/S0226) is a malicious bot application that can be used to load other malware.\n[Smoke Loader](https://attack.mitre.org/software/S0226) has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. (Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018)", "meta": { "external_id": "S0226", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0226", "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/", "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/" ], "synonyms": [ "Smoke Loader", "Dofoil" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "81f41bae-2ba9-4cec-9613-776be71645ca", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "ba91d713-c36e-4d98-9fb7-e16496a69eec", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "0c824410-58ff-49b2-9cf2-1c96b182bdf0", "value": "Smoke Loader - S0226" }, { "description": "[Linux Rabbit](https://attack.mitre.org/software/S0362) is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.(Citation: Anomali Linux Rabbit 2018)\n", "meta": { "external_id": "S0362", "mitre_platforms": [ "Linux" ], "refs": [ "https://attack.mitre.org/software/S0362", "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" ], "synonyms": [ "Linux Rabbit" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", "type": "uses" }, { "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "type": "uses" } ], "uuid": "0efefea5-78da-4022-92bc-d726139e8883", "value": "Linux Rabbit - S0362" }, { "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as [Tangelo](https://attack.mitre.org/software/S0329) is believed to be from the same developer. (Citation: Lookout-StealthMango)", "meta": { "external_id": "S0328", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0328", "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" ], "synonyms": [ "Stealth Mango" ] }, "related": [ { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "9558a84e-2d5e-4872-918e-d847494a8ffc", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "a9fa0d30-a8ff-45bf-922e-7720da0b7922", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "type": "uses" }, { "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", "type": "uses" } ], "uuid": "085eb36d-697d-4d9a-bac3-96eb879fe73c", "value": "Stealth Mango - S0328" }, { "description": "[Corona Updates](https://attack.mitre.org/software/S0425) is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.(Citation: TrendMicro Coronavirus Updates)", "meta": { "external_id": "S0425", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0425", "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" ], "synonyms": [ "Corona Updates", "Wabi Music", "Concipit1248" ] }, "related": [ { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "37047267-3e56-453c-833e-d92b68118120", "type": "uses" }, { "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "type": "uses" }, { "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "be63612f-a48f-44f2-a7a6-1763509fcf80", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" } ], "uuid": "366c800f-97a8-48d5-b0a6-79d00198252a", "value": "Corona Updates - S0425" }, { "description": "[Gold Dragon](https://attack.mitre.org/software/S0249) is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. [Gold Dragon](https://attack.mitre.org/software/S0249) was used along with [Brave Prince](https://attack.mitre.org/software/S0252) and [RunningRAT](https://attack.mitre.org/software/S0253) in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. (Citation: McAfee Gold Dragon)", "meta": { "external_id": "S0249", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0249", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" ], "synonyms": [ "Gold Dragon" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "b9799466-9dd7-4098-b2d6-f999ce50b9a8", "value": "Gold Dragon - S0249" }, { "description": "[Caterpillar WebShell](https://attack.mitre.org/software/S0572) is a self-developed Web Shell tool created by the group [Volatile Cedar](https://attack.mitre.org/groups/G0123).(Citation: ClearSky Lebanese Cedar Jan 2021) ", "meta": { "external_id": "S0572", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0572", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf", "https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf" ], "synonyms": [ "Caterpillar WebShell" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "751b77e6-af1f-483b-93fe-eddf17f92a64", "value": "Caterpillar WebShell - S0572" }, { "description": "[Cobian RAT](https://attack.mitre.org/software/S0338) is a backdoor, remote access tool that has been observed since 2016.(Citation: Zscaler Cobian Aug 2017)", "meta": { "external_id": "S0338", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0338", "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat" ], "synonyms": [ "Cobian RAT" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" } ], "uuid": "aa1462a1-d065-416c-b354-bedd04998c7f", "value": "Cobian RAT - S0338" }, { "description": "[Cardinal RAT](https://attack.mitre.org/software/S0348) is a potentially low volume remote access trojan (RAT) observed since December 2015. [Cardinal RAT](https://attack.mitre.org/software/S0348) is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.(Citation: PaloAlto CardinalRat Apr 2017)", "meta": { "external_id": "S0348", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0348", "https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/" ], "synonyms": [ "Cardinal RAT" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" } ], "uuid": "b879758f-bbc4-4cab-b5ba-177ac9b009b4", "value": "Cardinal RAT - S0348" }, { "description": "[Golden Cup](https://attack.mitre.org/software/S0535) is Android spyware that has been used to target World Cup fans.(Citation: Symantec GoldenCup) ", "meta": { "external_id": "S0535", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0535", "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans" ], "synonyms": [ "Golden Cup" ] }, "related": [ { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec", "type": "uses" } ], "uuid": "f3975cc0-72bc-4308-836e-ac701b83860e", "value": "Golden Cup - S0535" }, { "description": "[Olympic Destroyer](https://attack.mitre.org/software/S0365) is malware that was used by [Sandworm Team](https://attack.mitre.org/groups/G0034) against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to render infected computer systems inoperable. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. [Olympic Destroyer](https://attack.mitre.org/software/S0365) has worm-like features to spread itself across a computer network in order to maximize its destructive impact.(Citation: Talos Olympic Destroyer 2018)(Citation: US District Court Indictment GRU Unit 74455 October 2020) ", "meta": { "external_id": "S0365", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0365", "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html", "https://www.justice.gov/opa/press-release/file/1328521/download" ], "synonyms": [ "Olympic Destroyer" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" }, { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "type": "uses" } ], "uuid": "3249e92a-870b-426d-8790-ba311c1abfb4", "value": "Olympic Destroyer - S0365" }, { "description": "[Revenge RAT](https://attack.mitre.org/software/S0379) is a freely available remote access tool written in .NET (C#).(Citation: Cylance Shaheen Nov 2018)(Citation: Cofense RevengeRAT Feb 2019)", "meta": { "external_id": "S0379", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0379", "https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/", "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517" ], "synonyms": [ "Revenge RAT" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "type": "uses" }, { "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", "type": "uses" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" } ], "uuid": "bdb27a1d-1844-42f1-a0c0-826027ae0326", "value": "Revenge RAT - S0379" }, { "description": "[Rising Sun](https://attack.mitre.org/software/S0448) is a modular backdoor that was used extensively in [Operation Sharpshooter](https://attack.mitre.org/campaigns/C0013) between 2017 and 2019. [Rising Sun](https://attack.mitre.org/software/S0448) infected at least 87 organizations around the world, including nuclear, defense, energy, and financial service companies. Security researchers assessed [Rising Sun](https://attack.mitre.org/software/S0448) included some source code from [Lazarus Group](https://attack.mitre.org/groups/G0032)'s Trojan Duuzer.(Citation: McAfee Sharpshooter December 2018)", "meta": { "external_id": "S0448", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0448", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" ], "synonyms": [ "Rising Sun" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" } ], "uuid": "56e6b6c2-e573-4969-8bab-783205cebbbf", "value": "Rising Sun - S0448" }, { "description": "[JSS Loader](https://attack.mitre.org/software/S0648) is Remote Access Trojan (RAT) with .NET and C++ variants that has been used by [FIN7](https://attack.mitre.org/groups/G0046) since at least 2020.(Citation: eSentire FIN7 July 2021)(Citation: CrowdStrike Carbon Spider August 2021)", "meta": { "external_id": "S0648", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0648", "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", "https://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc" ], "synonyms": [ "JSS Loader" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "f559f945-eb8b-48b1-904c-68568deebed3", "value": "JSS Loader - S0648" }, { "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) is a banking trojan capable of clearing a victim’s bank account or cryptocurrency wallet and taking over email or social media accounts. [DEFENSOR ID](https://attack.mitre.org/software/S0479) performs the majority of its malicious functionality by abusing Android’s accessibility service.(Citation: ESET DEFENSOR ID) ", "meta": { "external_id": "S0479", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0479", "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/" ], "synonyms": [ "DEFENSOR ID" ] }, "related": [ { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "type": "uses" }, { "dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62", "type": "uses" } ], "uuid": "5a5dca4c-03c1-4b99-bfcf-c206e20aa663", "value": "DEFENSOR ID - S0479" }, { "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) is spyware that has been masquerading as the TikTok application.(Citation: Zscaler TikTok Spyware)", "meta": { "external_id": "S0558", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0558", "https://www.zscaler.com/blogs/security-research/tiktok-spyware" ], "synonyms": [ "Tiktok Pro" ] }, "related": [ { "dest-uuid": "00290ac5-551e-44aa-bbd8-c4b913488a6d", "type": "uses" }, { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1", "type": "uses" }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "type": "uses" } ], "uuid": "c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "value": "Tiktok Pro - S0558" }, { "description": "[Cyclops Blink](https://attack.mitre.org/software/S0687) is a modular malware that has been used in widespread campaigns by [Sandworm Team](https://attack.mitre.org/groups/G0034) since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus.(Citation: NCSC Cyclops Blink February 2022)(Citation: NCSC CISA Cyclops Blink Advisory February 2022)(Citation: Trend Micro Cyclops Blink March 2022)", "meta": { "external_id": "S0687", "mitre_platforms": [ "Network" ], "refs": [ "https://attack.mitre.org/software/S0687", "https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf", "https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html" ], "synonyms": [ "Cyclops Blink" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, { "dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc", "type": "uses" }, { "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "b350b47f-88fe-4921-8538-6d9c59bac84e", "value": "Cyclops Blink - S0687" }, { "description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) is Android malware. (Citation: Kaspersky-MobileMalware)", "meta": { "external_id": "S0306", "refs": [ "https://attack.mitre.org/software/S0306", "https://securelist.com/mobile-malware-evolution-2013/58335/" ] }, "related": [ { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" } ], "uuid": "28e39395-91e7-4f02-b694-5e079c964da9", "value": "Trojan-SMS.AndroidOS.FakeInst.a - S0306" }, { "description": "[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) is Android malware. (Citation: Kaspersky-MobileMalware)", "meta": { "external_id": "S0307", "refs": [ "https://attack.mitre.org/software/S0307", "https://securelist.com/mobile-malware-evolution-2013/58335/" ] }, "related": [ { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" } ], "uuid": "a1867c56-8c86-455a-96ad-b0d5f7e2bc17", "value": "Trojan-SMS.AndroidOS.Agent.ao - S0307" }, { "description": "[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) is Android malware. (Citation: Kaspersky-MobileMalware)", "meta": { "external_id": "S0308", "refs": [ "https://attack.mitre.org/software/S0308", "https://securelist.com/mobile-malware-evolution-2013/58335/" ] }, "related": [ { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" } ], "uuid": "d89c132d-7752-4c7f-9372-954a71522985", "value": "Trojan-SMS.AndroidOS.OpFake.a - S0308" }, { "description": "[Mis-Type](https://attack.mitre.org/software/S0084) is a backdoor hybrid that was used in [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) by 2012.(Citation: Cylance Dust Storm)", "meta": { "external_id": "S0084", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0084", "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" ], "synonyms": [ "Mis-Type" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" } ], "uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", "value": "Mis-Type - S0084" }, { "description": "[S-Type](https://attack.mitre.org/software/S0085) is a backdoor that was used in [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) since at least 2013.(Citation: Cylance Dust Storm)", "meta": { "external_id": "S0085", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0085", "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" ], "synonyms": [ "S-Type" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" } ], "uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", "value": "S-Type - S0085" }, { "description": "[Hi-Zor](https://attack.mitre.org/software/S0087) is a remote access tool (RAT) that has characteristics similar to [Sakula](https://attack.mitre.org/software/S0074). It was used in a campaign named INOCNATION. (Citation: Fidelis Hi-Zor)", "meta": { "external_id": "S0087", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0087", "https://www.fidelissecurity.com/threatgeek/archive/introducing-hi-zor-rat/" ], "synonyms": [ "Hi-Zor" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d22a3e65-75e5-4970-b424-bdc06ec33dba", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", "value": "Hi-Zor - S0087" }, { "description": "[Miner-C](https://attack.mitre.org/software/S0133) is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread. (Citation: Softpedia MinerC)", "meta": { "external_id": "S0133", "refs": [ "http://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml", "https://attack.mitre.org/software/S0133" ] }, "related": [ { "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", "type": "uses" } ], "uuid": "17dec760-9c8f-4f1b-9b4b-0ac47a453234", "value": "Miner-C - S0133" }, { "description": "[Seth-Locker](https://attack.mitre.org/software/S0639) is a ransomware with some remote control capabilities that has been in use since at least 2021.\n(Citation: Trend Micro Ransomware February 2021)", "meta": { "external_id": "S0639", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0639", "https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html" ], "synonyms": [ "Seth-Locker" ] }, "related": [ { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "f931a0b9-0361-4b1b-bacf-955062c35746", "value": "Seth-Locker - S0639" }, { "description": "[Aria-body](https://attack.mitre.org/software/S0456) is a custom backdoor that has been used by [Naikon](https://attack.mitre.org/groups/G0019) since approximately 2017.(Citation: CheckPoint Naikon May 2020)", "meta": { "external_id": "S0456", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0456", "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" ], "synonyms": [ "Aria-body" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "3161d76a-e2b2-4b97-9906-24909b735386", "value": "Aria-body - S0456" }, { "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. [S.O.V.A.](https://attack.mitre.org/software/S1062), which is Russian for \"owl\", contains features not commonly found in Android malware, such as session cookie theft.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)", "meta": { "external_id": "S1062", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S1062", "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly", "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html" ], "synonyms": [ "S.O.V.A." ] }, "related": [ { "dest-uuid": "08e22979-d320-48ed-8711-e7bf94aabb13", "type": "uses" }, { "dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "51636761-2e35-44bf-9e56-e337adf97174", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "type": "uses" }, { "dest-uuid": "74e6003f-c7f4-4047-983b-708cc19b96b6", "type": "uses" }, { "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62", "type": "uses" }, { "dest-uuid": "d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d", "type": "uses" }, { "dest-uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4", "type": "uses" }, { "dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "type": "uses" } ], "uuid": "4b53eb01-57d7-47b4-b078-22766b002b36", "value": "S.O.V.A. - S1062" }, { "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) is Android malware that was delivered to activist groups via a spearphishing email with an attachment. (Citation: Kaspersky-WUC)", "meta": { "external_id": "S0304", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0304", "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" ], "synonyms": [ "Android/Chuli.A" ] }, "related": [ { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "type": "uses" } ], "uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533", "value": "Android/Chuli.A - S0304" }, { "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) is a variant of a ransomware family targeting Android devices. It prevents the user from interacting with the UI by displaying a screen containing a ransom note over all other windows. (Citation: Microsoft MalLockerB)", "meta": { "external_id": "S0524", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0524", "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/" ], "synonyms": [ "AndroidOS/MalLocker.B" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, { "dest-uuid": "acf8fd2a-dc98-43b4-8d37-64e10728e591", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" } ], "uuid": "9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce", "value": "AndroidOS/MalLocker.B - S0524" }, { "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) is a variant of adware that has been distributed through multiple apps in the Google Play Store. (Citation: WeLiveSecurity AdDisplayAshas)", "meta": { "external_id": "S0525", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0525", "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/" ], "synonyms": [ "Android/AdDisplay.Ashas" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, { "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "type": "uses" }, { "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "type": "uses" } ], "uuid": "f7e7b736-2cff-4c2a-9232-352cd383463a", "value": "Android/AdDisplay.Ashas - S0525" }, { "description": "[Trojan.Mebromi](https://attack.mitre.org/software/S0001) is BIOS-level malware that takes control of the victim before MBR. (Citation: Ge 2011)", "meta": { "external_id": "S0001", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.symantec.com/connect/blogs/bios-threat-showing-again", "https://attack.mitre.org/software/S0001" ], "synonyms": [ "Trojan.Mebromi" ] }, "related": [ { "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", "type": "uses" } ], "uuid": "c5e9cb46-aced-466c-85ea-7db5572ad9ec", "value": "Trojan.Mebromi - S0001" }, { "description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) is Android malware that is unique because it uses encrypted content within a blog site for command and control. (Citation: TrendMicro-Anserver)", "meta": { "external_id": "S0310", "mitre_platforms": [ "Android" ], "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/", "https://attack.mitre.org/software/S0310" ], "synonyms": [ "ANDROIDOS_ANSERVER.A" ] }, "related": [ { "dest-uuid": "986f80f7-ff0e-4f48-87bd-0394814bbce5", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" } ], "uuid": "4bf6ba32-4165-42c1-b911-9c36165891c8", "value": "ANDROIDOS_ANSERVER.A - S0310" }, { "description": "[Agent.btz](https://attack.mitre.org/software/S0092) is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. (Citation: Securelist Agent.btz)", "meta": { "external_id": "S0092", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0092", "https://securelist.com/agent-btz-a-source-of-inspiration/58551/" ], "synonyms": [ "Agent.btz" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", "value": "Agent.btz - S0092" }, { "description": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) is a modular backdoor that used by [Dragonfly](https://attack.mitre.org/groups/G0035) against energy companies since at least 2013. [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)(Citation: Symantec Dragonfly Sept 2017)", "meta": { "external_id": "S0093", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0093", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers", "https://vblocalhost.com/uploads/VB2021-Slowik.pdf" ], "synonyms": [ "Backdoor.Oldrea", "Havex" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "4bc31b94-045b-4752-8920-aebaebdb6470", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "d7183f66-59ec-4803-be20-237b442259fc", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", "value": "Backdoor.Oldrea - S0093" }, { "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) is a modular remote access tool used for recon and linked to [Dragonfly](https://attack.mitre.org/groups/G0035). The source code for [Trojan.Karagany](https://attack.mitre.org/software/S0094) originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. (Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)(Citation: Dragos DYMALLOY )", "meta": { "external_id": "S0094", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0094", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.dragos.com/threat/dymalloy/", "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" ], "synonyms": [ "Trojan.Karagany", "xFrost", "Karagany" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", "value": "Trojan.Karagany - S0094" }, { "description": "[macOS.OSAMiner](https://attack.mitre.org/software/S1048) is a Monero mining trojan that was first observed in 2018; security researchers assessed [macOS.OSAMiner](https://attack.mitre.org/software/S1048) may have been circulating since at least 2015. [macOS.OSAMiner](https://attack.mitre.org/software/S1048) is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.(Citation: SentinelLabs reversing run-only applescripts 2021)(Citation: VMRay OSAMiner dynamic analysis 2021)", "meta": { "external_id": "S1048", "mitre_platforms": [ "macOS" ], "refs": [ "https://attack.mitre.org/software/S1048", "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/", "https://www.vmray.com/cyber-security-blog/osaminer-uses-applescripts-evade-detection-malware-analysis-spotlight/" ], "synonyms": [ "macOS.OSAMiner" ] }, "related": [ { "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2f41939b-54c3-41d6-8f8b-35f1ec18ed97", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", "type": "uses" }, { "dest-uuid": "810aa4ad-61c9-49cb-993f-daa06199421d", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "2a59a237-1530-4d55-91f9-2aebf961cc37", "value": "macOS.OSAMiner - S1048" }, { "description": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a macOS backdoor used by [APT32](https://attack.mitre.org/groups/G0050). First discovered in 2015, [APT32](https://attack.mitre.org/groups/G0050) has continued to make improvements using a plugin architecture to extend capabilities, specifically using `.dylib` files. [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) can also determine it's permission level and execute according to access type (`root` or `user`).(Citation: Unit42 OceanLotus 2017)(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)", "meta": { "external_id": "S0352", "mitre_platforms": [ "macOS" ], "refs": [ "https://attack.mitre.org/software/S0352", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/", "https://unit42.paloaltonetworks.com/unit42-new-improved-macos-backdoor-oceanlotus/", "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html" ], "synonyms": [ "OSX_OCEANLOTUS.D", "Backdoor.MacOS.OCEANLOTUS.F" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", "type": "uses" }, { "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" } ], "uuid": "b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29", "value": "OSX_OCEANLOTUS.D - S0352" }, { "description": "[LITTLELAMB.WOOLTEA](https://attack.mitre.org/software/S1121) is a backdoor that was used by UNC5325 during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) to deploy malware on targeted Ivanti Connect Secure VPNs and to establish persistence across system upgrades and patches.(Citation: Mandiant Cutting Edge Part 3 February 2024)", "meta": { "external_id": "S1121", "mitre_platforms": [ "Network" ], "refs": [ "https://attack.mitre.org/software/S1121", "https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence" ], "synonyms": [ "LITTLELAMB.WOOLTEA" ] }, "related": [ { "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" } ], "uuid": "19256855-65e9-48f2-8b74-9f3d0a994428", "value": "LITTLELAMB.WOOLTEA - S1121" }, { "description": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) is a Trojan designed to install adware on macOS that was first discovered in 2018.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)", "meta": { "external_id": "S0402", "mitre_platforms": [ "macOS" ], "refs": [ "https://attack.mitre.org/software/S0402", "https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/", "https://blogs.vmware.com/security/2020/02/vmware-carbon-black-tau-threat-analysis-shlayer-macos.html", "https://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/", "https://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/", "https://www.sentinelone.com/blog/coming-out-of-your-shell-from-shlayer-to-zshlayer/" ], "synonyms": [ "OSX/Shlayer", "Zshlayer", "Crossrider" ] }, "related": [ { "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4a2975db-414e-4c0c-bd92-775987514b4b", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "b22e5153-ac28-4cc6-865c-2054e36285cb", "type": "uses" }, { "dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" } ], "uuid": "f1314e75-ada8-49f4-b281-b1fb8b48f2a7", "value": "OSX/Shlayer - S0402" }, { "description": "[T9000](https://attack.mitre.org/software/S0098) is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. (Citation: FireEye admin@338 March 2014) (Citation: Palo Alto T9000 Feb 2016)", "meta": { "external_id": "S0098", "mitre_platforms": [ "Windows" ], "refs": [ "http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/", "https://attack.mitre.org/software/S0098", "https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html" ], "synonyms": [ "T9000" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "66575fb4-7f92-42d8-8c47-e68a26413081", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", "value": "T9000 - S0098" }, { "description": "[BS2005](https://attack.mitre.org/software/S0014) is malware that was used by [Ke3chang](https://attack.mitre.org/groups/G0004) in spearphishing campaigns since at least 2011. (Citation: Mandiant Operation Ke3chang November 2014)", "meta": { "external_id": "S0014", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0014", "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs" ], "synonyms": [ "BS2005" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "25cd01bc-1346-4415-8f8d-d3656309ef6b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "35e00ff0-704e-4e61-b9bb-9ed20a4a008f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "67fc172a-36fa-4a35-88eb-4ba730ed52a6", "value": "BS2005 - S0014" }, { "description": "[Sys10](https://attack.mitre.org/software/S0060) is a backdoor that was used throughout 2013 by [Naikon](https://attack.mitre.org/groups/G0019). (Citation: Baumgartner Naikon 2015)", "meta": { "external_id": "S0060", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0060", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" ], "synonyms": [ "Sys10" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2ae57534-6aac-4025-8d93-888dab112b45", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", "value": "Sys10 - S0060" }, { "description": "[Lurid](https://attack.mitre.org/software/S0010) is a malware family that has been used by several groups, including [PittyTiger](https://attack.mitre.org/groups/G0011), in targeted attacks as far back as 2006. (Citation: Villeneuve 2014) (Citation: Villeneuve 2011)", "meta": { "external_id": "S0010", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_dissecting-lurid-apt.pdf", "https://attack.mitre.org/software/S0010", "https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html" ], "synonyms": [ "Lurid", "Enfal" ] }, "related": [ { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2a4cacb7-80a1-417e-8b9c-54b4089f35d9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" } ], "uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad", "value": "Lurid - S0010" }, { "description": "[Dipsind](https://attack.mitre.org/software/S0200) is a malware family of backdoors that appear to be used exclusively by [PLATINUM](https://attack.mitre.org/groups/G0068). (Citation: Microsoft PLATINUM April 2016)", "meta": { "external_id": "S0200", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0200", "https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" ], "synonyms": [ "Dipsind" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "type": "uses" }, { "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "e170995d-4f61-4f17-b60e-04f9a06ee517", "value": "Dipsind - S0200" }, { "description": "[DressCode](https://attack.mitre.org/software/S0300) is an Android malware family. (Citation: TrendMicro-DressCode)", "meta": { "external_id": "S0300", "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/", "https://attack.mitre.org/software/S0300" ] }, "related": [ { "dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d", "type": "uses" } ], "uuid": "ff742eeb-1f90-4f5a-8b92-9d40fffd99ca", "value": "DressCode - S0300" }, { "description": "[Carbanak](https://attack.mitre.org/software/S0030) is a full-featured, remote backdoor used by a group of the same name ([Carbanak](https://attack.mitre.org/groups/G0008)). It is intended for espionage, data exfiltration, and providing remote access to infected machines. (Citation: Kaspersky Carbanak) (Citation: FireEye CARBANAK June 2017)", "meta": { "external_id": "S0030", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0030", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf", "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", "https://www.fox-it.com/en/news/blog/anunak-aka-carbanak-update/" ], "synonyms": [ "Carbanak", "Anunak" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "type": "uses" }, { "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "type": "uses" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, { "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", "type": "uses" }, { "dest-uuid": "8c246ec4-eaa5-42c0-b137-29f28cbb6832", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" } ], "uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", "value": "Carbanak - S0030" }, { "description": "[RIPTIDE](https://attack.mitre.org/software/S0003) is a proxy-aware backdoor used by [APT12](https://attack.mitre.org/groups/G0005). (Citation: Moran 2014)", "meta": { "external_id": "S0003", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0003", "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" ], "synonyms": [ "RIPTIDE" ] }, "related": [ { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "91583583-95c0-444e-8175-483cbebc640b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", "value": "RIPTIDE - S0003" }, { "description": "[TinyZBot](https://attack.mitre.org/software/S0004) is a bot written in C# that was developed by [Cleaver](https://attack.mitre.org/groups/G0003). (Citation: Cylance Cleaver)", "meta": { "external_id": "S0004", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0004", "https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [ "TinyZBot" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e2cc27a2-4146-4f08-8e80-114a99204cea", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", "value": "TinyZBot - S0004" }, { "description": "[RobbinHood](https://attack.mitre.org/software/S0400) is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.(Citation: CarbonBlack RobbinHood May 2019)(Citation: BaltimoreSun RobbinHood May 2019)", "meta": { "external_id": "S0400", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0400", "https://www.baltimoresun.com/politics/bs-md-ci-it-outage-20190507-story.html", "https://www.carbonblack.com/2019/05/17/cb-tau-threat-intelligence-notification-robbinhood-ransomware-stops-181-windows-services-before-encryption/" ], "synonyms": [ "RobbinHood" ] }, "related": [ { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "0a607c53-df52-45da-a75d-0e53df4dad5f", "value": "RobbinHood - S0400" }, { "description": "[CosmicDuke](https://attack.mitre.org/software/S0050) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2010 to 2015. (Citation: F-Secure The Dukes)", "meta": { "external_id": "S0050", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0050", "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" ], "synonyms": [ "CosmicDuke", "TinyBaron", "BotgenStudios", "NemesisGemina" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "type": "uses" }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" }, { "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", "type": "uses" }, { "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" } ], "uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "value": "CosmicDuke - S0050" }, { "description": "[Doki](https://attack.mitre.org/software/S0600) is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. [Doki](https://attack.mitre.org/software/S0600) was used in conjunction with the [ngrok](https://attack.mitre.org/software/S0508) Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20)", "meta": { "external_id": "S0600", "mitre_platforms": [ "Linux", "Containers" ], "refs": [ "https://attack.mitre.org/software/S0600", "https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/" ], "synonyms": [ "Doki" ] }, "related": [ { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "4a5b7ade-8bb5-4853-84ed-23f262002665", "type": "uses" }, { "dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92", "type": "uses" }, { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "4f1c389e-a80e-4a3e-9b0e-9be8c91df64f", "value": "Doki - S0600" }, { "description": "[HTTPBrowser](https://attack.mitre.org/software/S0070) is malware that has been used by several threat groups. (Citation: ThreatStream Evasion Analysis) (Citation: Dell TG-3390) It is believed to be of Chinese origin. (Citation: ThreatConnect Anthem)", "meta": { "external_id": "S0070", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0070", "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage", "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/", "https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" ], "synonyms": [ "HTTPBrowser", "Token Control", "HttpDump" ] }, "related": [ { "dest-uuid": "08e2c9ef-aa62-429f-a6e5-e901ff6883cd", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", "value": "HTTPBrowser - S0070" }, { "description": "[Mivast](https://attack.mitre.org/software/S0080) is a backdoor that has been used by [Deep Panda](https://attack.mitre.org/groups/G0009). It was reportedly used in the Anthem breach. (Citation: Symantec Black Vine)", "meta": { "external_id": "S0080", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.symantec.com/security_response/writeup.jsp?docid=2015-020623-0740-99&tabid=2", "https://attack.mitre.org/software/S0080", "https://web.archive.org/web/20170823094836/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf" ], "synonyms": [ "Mivast" ] }, "related": [ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", "value": "Mivast - S0080" }, { "description": "[Hikit](https://attack.mitre.org/software/S0009) is malware that has been used by [Axiom](https://attack.mitre.org/groups/G0001) for late-stage persistence and exfiltration after the initial compromise.(Citation: Novetta-Axiom)(Citation: FireEye Hikit Rootkit)", "meta": { "external_id": "S0009", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0009", "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", "https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html" ], "synonyms": [ "Hikit" ] }, "related": [ { "dest-uuid": "06953055-92ed-4936-8ffd-d9d72ab6bef6", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "565275d5-fcc3-4b66-b4e7-928e4cac6b8c", "type": "uses" }, { "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", "type": "uses" }, { "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" } ], "uuid": "95047f03-4811-4300-922e-1ba937d53a61", "value": "Hikit - S0009" }, { "description": "", "meta": { "external_id": "S9000", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S9000" ], "synonyms": [ "Ngrok" ] }, "related": [ { "dest-uuid": "2f7f03bb-f367-4a5a-ad9b-310a12a48906", "type": "revoked-by" } ], "revoked": true, "uuid": "911fe4c3-444d-4e92-83b8-cc761ac5fd3b", "value": "Ngrok - S9000" }, { "description": "[Rover](https://attack.mitre.org/software/S0090) is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. (Citation: Palo Alto Rover)", "meta": { "external_id": "S0090", "mitre_platforms": [ "Windows" ], "refs": [ "http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/", "https://attack.mitre.org/software/S0090" ], "synonyms": [ "Rover" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "53e94bc9-c8d2-4fb6-9c02-00841e454050", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" } ], "uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", "value": "Rover - S0090" }, { "description": "[Ninja](https://attack.mitre.org/software/S1100) is a malware developed in C++ that has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) to penetrate networks and control remote systems since at least 2020. [Ninja](https://attack.mitre.org/software/S1100) is possibly part of a post exploitation toolkit exclusively used by [ToddyCat](https://attack.mitre.org/groups/G1022) and allows multiple operators to work simultaneously on the same machine. [Ninja](https://attack.mitre.org/software/S1100) has been used against government and military entities in Europe and Asia and observed in specific infection chains being deployed by [Samurai](https://attack.mitre.org/software/S1099).(Citation: Kaspersky ToddyCat June 2022)", "meta": { "external_id": "S1100", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1100", "https://securelist.com/toddycat/106799/" ], "synonyms": [ "Ninja" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, { "dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d", "type": "uses" }, { "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", "type": "uses" }, { "dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "f244b8dd-af6c-4391-a497-fc03627ce995", "type": "uses" }, { "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", "type": "uses" }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" } ], "uuid": "023254de-caaf-4a05-b2c7-e4e2f283f7a5", "value": "Ninja - S1100" }, { "description": "[Taidoor](https://attack.mitre.org/software/S0011) is a remote access trojan (RAT) that has been used by Chinese government cyber actors to maintain access on victim networks.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021) [Taidoor](https://attack.mitre.org/software/S0011) has primarily been used against Taiwanese government organizations since at least 2010.(Citation: TrendMicro Taidoor)", "meta": { "external_id": "S0011", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf", "https://attack.mitre.org/software/S0011", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a" ], "synonyms": [ "Taidoor" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cda7d605-23d0-4f93-a585-1276f094c04a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "b143dfa4-e944-43ff-8429-bfffc308c517", "value": "Taidoor - S0011" }, { "description": "[WEBC2](https://attack.mitre.org/software/S0109) is a family of backdoor malware used by [APT1](https://attack.mitre.org/groups/G0006) as early as July 2006. [WEBC2](https://attack.mitre.org/software/S0109) backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1)", "meta": { "external_id": "S0109", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0109", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", "https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf" ], "synonyms": [ "WEBC2" ] }, "related": [ { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "b5be84b7-bf2c-40d0-85a9-14c040881a98", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "1d808f62-cf63-4063-9727-ff6132514c22", "value": "WEBC2 - S0109" }, { "description": "[Derusbi](https://attack.mitre.org/software/S0021) is malware used by multiple Chinese APT groups.(Citation: Novetta-Axiom)(Citation: ThreatConnect Anthem) Both Windows and Linux variants have been observed.(Citation: Fidelis Turbo)", "meta": { "external_id": "S0021", "mitre_platforms": [ "Windows", "Linux" ], "refs": [ "https://attack.mitre.org/software/S0021", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2016/2016.02.29.Turbo_Campaign_Derusbi/TA_Fidelis_Turbo_1602_0.pdf", "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/" ], "synonyms": [ "Derusbi", "PHOTO" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7ea00126-add3-407e-b69d-d4aa1b3049d5", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "eff68b97-f36e-4827-ab1a-90523c16774c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "value": "Derusbi - S0021" }, { "description": "[JPIN](https://attack.mitre.org/software/S0201) is a custom-built backdoor family used by [PLATINUM](https://attack.mitre.org/groups/G0068). Evidence suggests developers of [JPIN](https://attack.mitre.org/software/S0201) and [Dipsind](https://attack.mitre.org/software/S0200) code bases were related in some way. (Citation: Microsoft PLATINUM April 2016)", "meta": { "external_id": "S0201", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0201", "https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" ], "synonyms": [ "JPIN" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "type": "uses" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "de6cb631-52f6-4169-a73b-7965390b0c30", "value": "JPIN - S0201" }, { "description": "[PoisonIvy](https://attack.mitre.org/software/S0012) is a popular remote access tool (RAT) that has been used by many groups.(Citation: FireEye Poison Ivy)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Darkmoon Aug 2005)", "meta": { "external_id": "S0012", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0012", "https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf", "https://www.symantec.com/connect/blogs/life-mars-how-attackers-took-advantage-hope-alien-existance-new-darkmoon-campaign", "https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99" ], "synonyms": [ "PoisonIvy", "Breut", "Poison Ivy", "Darkmoon" ] }, "related": [ { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "22522668-ddf6-470b-a027-9d6866679f67", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "4e104fef-8a2c-4679-b497-6e86d7d47db0", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "b42378e0-f147-496f-992a-26a49705395b", "value": "PoisonIvy - S0012" }, { "description": "[Kevin](https://attack.mitre.org/software/S1020) is a backdoor implant written in C++ that has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least June 2020, including in operations against organizations in Tunisia.(Citation: Kaspersky Lyceum October 2021)", "meta": { "external_id": "S1020", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1020", "https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" ], "synonyms": [ "Kevin" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "type": "uses" }, { "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "type": "uses" }, { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "type": "uses" }, { "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade", "type": "uses" } ], "uuid": "e7863f5d-cb6a-4f81-8804-0a635eec160a", "value": "Kevin - S1020" }, { "description": "[Nerex](https://attack.mitre.org/software/S0210) is a Trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Nerex May 2012)", "meta": { "external_id": "S0210", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0210", "https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-3445-99" ], "synonyms": [ "Nerex" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "c251e4a5-9a2e-4166-8e42-442af75c3b9a", "value": "Nerex - S0210" }, { "description": "[BACKSPACE](https://attack.mitre.org/software/S0031) is a backdoor used by [APT30](https://attack.mitre.org/groups/G0013) that dates back to at least 2005. (Citation: FireEye APT30)", "meta": { "external_id": "S0031", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0031", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [ "BACKSPACE", "Lecna" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cd6c5f27-cf7e-4529-ae9c-ab5b85102bde", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" } ], "uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", "value": "BACKSPACE - S0031" }, { "description": "[Dendroid](https://attack.mitre.org/software/S0301) is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.(Citation: Lookout-Dendroid)", "meta": { "external_id": "S0301", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0301", "https://blog.lookout.com/blog/2014/03/06/dendroid/" ], "synonyms": [ "Dendroid" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "ea3a8c25-4adb-4538-bf11-55259bdba15f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "317a2c10-d489-431e-b6b2-f0251fddc88e", "value": "Dendroid - S0301" }, { "description": "[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation: Dell TG-3390)", "meta": { "external_id": "S0013", "mitre_platforms": [ "Windows" ], "refs": [ "http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf", "http://labs.lastline.com/an-analysis-of-plugx", "http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/", "https://attack.mitre.org/software/S0013", "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", "https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html", "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" ], "synonyms": [ "PlugX", "Thoper", "TVT", "DestroyRAT", "Sogu", "Kaba", "Korplug" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "036bd099-fe80-46c2-9c4c-e5c6df8dcdee", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "663f8ef9-4c50-499a-b765-f377d23c1070", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "f4b159ea-97e5-483b-854b-c48a78d562aa", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" } ], "uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "value": "PlugX - S0013" }, { "description": "[Squirrelwaffle](https://attack.mitre.org/software/S1030) is a loader that was first seen in September 2021. It has been used in spam email campaigns to deliver additional malware such as [Cobalt Strike](https://attack.mitre.org/software/S0154) and the [QakBot](https://attack.mitre.org/software/S0650) banking trojan.(Citation: ZScaler Squirrelwaffle Sep 2021)(Citation: Netskope Squirrelwaffle Oct 2021)", "meta": { "external_id": "S1030", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1030", "https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot", "https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike" ], "synonyms": [ "Squirrelwaffle" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "3c18ad16-9eaf-4649-984e-68551bff0d47", "value": "Squirrelwaffle - S1030" }, { "description": "[Fysbis](https://attack.mitre.org/software/S0410) is a Linux-based backdoor used by [APT28](https://attack.mitre.org/groups/G0007) that dates back to at least 2014.(Citation: Fysbis Palo Alto Analysis)", "meta": { "external_id": "S0410", "mitre_platforms": [ "Linux" ], "refs": [ "https://attack.mitre.org/software/S0410", "https://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" ], "synonyms": [ "Fysbis" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", "type": "uses" }, { "dest-uuid": "e0232cb0-ded5-4c2e-9dc7-2893142a5c11", "type": "uses" } ], "uuid": "50d6688b-0985-4f3d-8cbe-0c796b30703b", "value": "Fysbis - S0410" }, { "description": "[Shamoon](https://attack.mitre.org/software/S0140) is wiper malware that was first used by an Iranian group known as the \"Cutting Sword of Justice\" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. [Shamoon](https://attack.mitre.org/software/S0140) has also been seen leveraging [RawDisk](https://attack.mitre.org/software/S0364) and Filerase to carry out data wiping tasks. Analysis has linked [Shamoon](https://attack.mitre.org/software/S0140) with [Kwampirs](https://attack.mitre.org/software/S0236) based on multiple shared artifacts and coding patterns.(Citation: Cylera Kwampirs 2022) The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)", "meta": { "external_id": "S0140", "mitre_platforms": [ "Windows" ], "refs": [ "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/", "https://attack.mitre.org/software/S0140", "https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf", "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/", "https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html", "https://www.symantec.com/connect/blogs/shamoon-attacks" ], "synonyms": [ "Shamoon", "Disttrack" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "776b1849-8d5b-4762-8ba1-cbbaddb4ce3a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "type": "uses" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "type": "uses" } ], "uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", "value": "Shamoon - S0140" }, { "description": "[Wiper](https://attack.mitre.org/software/S0041) is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies. (Citation: Dell Wiper)", "meta": { "external_id": "S0041", "refs": [ "http://www.secureworks.com/cyber-threat-intelligence/threats/wiper-malware-analysis-attacking-korean-financial-sector/", "https://attack.mitre.org/software/S0041" ] }, "related": [ { "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", "type": "uses" } ], "uuid": "a19c49aa-36fe-4c05-b817-23e1c7a7d085", "value": "Wiper - S0041" }, { "description": "[MiniDuke](https://attack.mitre.org/software/S0051) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2010 to 2015. The [MiniDuke](https://attack.mitre.org/software/S0051) toolset consists of multiple downloader and backdoor components. The loader has been used with other [MiniDuke](https://attack.mitre.org/software/S0051) components as well as in conjunction with [CosmicDuke](https://attack.mitre.org/software/S0050) and [PinchDuke](https://attack.mitre.org/software/S0048). (Citation: F-Secure The Dukes)", "meta": { "external_id": "S0051", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0051", "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" ], "synonyms": [ "MiniDuke" ] }, "related": [ { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" } ], "uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", "value": "MiniDuke - S0051" }, { "description": "[POSHSPY](https://attack.mitre.org/software/S0150) is a backdoor that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. (Citation: FireEye POSHSPY April 2017)", "meta": { "external_id": "S0150", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0150", "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" ], "synonyms": [ "POSHSPY" ] }, "related": [ { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "4df1b257-c242-46b0-b120-591430066b6f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", "value": "POSHSPY - S0150" }, { "description": "[Ixeshe](https://attack.mitre.org/software/S0015) is a malware family that has been used since at least 2009 against targets in East Asia. (Citation: Moran 2013)", "meta": { "external_id": "S0015", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0015", "https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html" ], "synonyms": [ "Ixeshe" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" } ], "uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06", "value": "Ixeshe - S0015" }, { "description": "[PipeMon](https://attack.mitre.org/software/S0501) is a multi-stage modular backdoor used by [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: ESET PipeMon May 2020)", "meta": { "external_id": "S0501", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0501", "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" ], "synonyms": [ "PipeMon" ] }, "related": [ { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2de47683-f398-448f-b947-9abcc3e32fad", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "8393dac0-0583-456a-9372-fd81691bca20", "value": "PipeMon - S0501" }, { "description": "[HDoor](https://attack.mitre.org/software/S0061) is malware that has been customized and used by the [Naikon](https://attack.mitre.org/groups/G0019) group. (Citation: Baumgartner Naikon 2015)", "meta": { "external_id": "S0061", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0061", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" ], "synonyms": [ "HDoor", "Custom HDoor" ] }, "related": [ { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" } ], "uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b", "value": "HDoor - S0061" }, { "description": "[Hildegard](https://attack.mitre.org/software/S0601) is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind [Hildegard](https://attack.mitre.org/software/S0601). (Citation: Unit 42 Hildegard Malware)", "meta": { "external_id": "S0601", "mitre_platforms": [ "Linux", "Containers", "IaaS" ], "refs": [ "https://attack.mitre.org/software/S0601", "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" ], "synonyms": [ "Hildegard" ] }, "related": [ { "dest-uuid": "0470e792-32f8-46b0-a351-652bc35e9336", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "19bf235b-8620-4997-b5b4-94e0659ed7c3", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "type": "uses" }, { "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "type": "uses" }, { "dest-uuid": "4a5b7ade-8bb5-4853-84ed-23f262002665", "type": "uses" }, { "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", "type": "uses" }, { "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", "type": "uses" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, { "dest-uuid": "7b50a1d3-4ca7-45d1-989d-a6503f04bfe1", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "40a1b8ec-7295-416c-a6b1-68181d86f120", "value": "Hildegard - S0601" }, { "description": "[Mafalda](https://attack.mitre.org/software/S1060) is a flexible interactive implant that has been used by [Metador](https://attack.mitre.org/groups/G1013). Security researchers assess the [Mafalda](https://attack.mitre.org/software/S1060) name may be inspired by an Argentinian cartoon character that has been popular as a means of political commentary since the 1960s. (Citation: SentinelLabs Metador Sept 2022)", "meta": { "external_id": "S1060", "mitre_platforms": [ "Windows" ], "refs": [ "https://assets.sentinelone.com/sentinellabs22/metador#page=1", "https://attack.mitre.org/software/S1060" ], "synonyms": [ "Mafalda" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", "type": "uses" }, { "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", "type": "uses" }, { "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" } ], "uuid": "3be1fb7a-0f7e-415e-8e3a-74a80d596e68", "value": "Mafalda - S1060" }, { "description": "[SideTwist](https://attack.mitre.org/software/S0610) is a C-based backdoor that has been used by [OilRig](https://attack.mitre.org/groups/G0049) since at least 2021.(Citation: Check Point APT34 April 2021)", "meta": { "external_id": "S0610", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0610", "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" ], "synonyms": [ "SideTwist" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" } ], "uuid": "df4cd566-ff2f-4d08-976d-8c86e95782de", "value": "SideTwist - S0610" }, { "description": "[BISCUIT](https://attack.mitre.org/software/S0017) is a backdoor that has been used by [APT1](https://attack.mitre.org/groups/G0006) since as early as 2007. (Citation: Mandiant APT1)", "meta": { "external_id": "S0017", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0017", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", "https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf" ], "synonyms": [ "BISCUIT" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f1e05a12-ca50-41ab-a963-d7df5bcb141d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda", "value": "BISCUIT - S0017" }, { "description": "[Helminth](https://attack.mitre.org/software/S0170) is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable. (Citation: Palo Alto OilRig May 2016)", "meta": { "external_id": "S0170", "mitre_platforms": [ "Windows" ], "refs": [ "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", "https://attack.mitre.org/software/S0170" ], "synonyms": [ "Helminth" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "19d89300-ff97-4281-ac42-76542e744092", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, { "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", "value": "Helminth - S0170" }, { "description": "[hcdLoader](https://attack.mitre.org/software/S0071) is a remote access tool (RAT) that has been used by [APT18](https://attack.mitre.org/groups/G0026). (Citation: Dell Lateral Movement)", "meta": { "external_id": "S0071", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/", "https://attack.mitre.org/software/S0071" ], "synonyms": [ "hcdLoader" ] }, "related": [ { "dest-uuid": "12bb8f4f-af29-49a0-8c2c-d28468f28fd8", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" } ], "uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e", "value": "hcdLoader - S0071" }, { "description": "[Elise](https://attack.mitre.org/software/S0081) is a custom backdoor Trojan that appears to be used exclusively by [Lotus Blossom](https://attack.mitre.org/groups/G0030). It is part of a larger group of\ntools referred to as LStudio, ST Group, and APT0LSTU. (Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018)", "meta": { "external_id": "S0081", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0081", "https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", "https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html" ], "synonyms": [ "Elise", "BKDR_ESILE", "Page" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "3477a25d-e04b-475e-8330-39f66c10cc01", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "d70fd29d-590e-4ed5-b72f-6ce0142019c6", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", "value": "Elise - S0081" }, { "description": "[Fakecalls](https://attack.mitre.org/software/S1080) is an Android trojan, first detected in January 2021, that masquerades as South Korean banking apps. It has capabilities to intercept calls to banking institutions and even maintain realistic dialogues with the victim using pre-recorded audio snippets.(Citation: kaspersky_fakecalls_0422) ", "meta": { "external_id": "S1080", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S1080", "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/" ], "synonyms": [ "Fakecalls" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "type": "uses" }, { "dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" } ], "uuid": "429e1526-6293-495b-8808-af7f9a66c4be", "value": "Fakecalls - S1080" }, { "description": "[Sykipot](https://attack.mitre.org/software/S0018) is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of [Sykipot](https://attack.mitre.org/software/S0018) hijacks smart cards on victims. (Citation: Alienvault Sykipot DOD Smart Cards) The group using this malware has also been referred to as Sykipot. (Citation: Blasco 2013)", "meta": { "external_id": "S0018", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments", "https://attack.mitre.org/software/S0018", "https://www.alienvault.com/open-threat-exchange/blog/sykipot-variant-hijacks-dod-and-windows-smart-cards" ], "synonyms": [ "Sykipot" ] }, "related": [ { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", "value": "Sykipot - S0018" }, { "description": "[Volgmer](https://attack.mitre.org/software/S0180) is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. (Citation: US-CERT Volgmer Nov 2017)", "meta": { "external_id": "S0180", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0180", "https://web.archive.org/web/20181126143456/https://www.symantec.com/security-center/writeup/2014-081811-3237-99?tabid=2", "https://www.us-cert.gov/ncas/alerts/TA17-318B", "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF" ], "synonyms": [ "Volgmer" ] }, "related": [ { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "0a52e73b-d7e9-45ae-9bda-46568f753931", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", "value": "Volgmer - S0180" }, { "description": "[NightClub](https://attack.mitre.org/software/S1090) is a modular implant written in C++ that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2014.(Citation: MoustachedBouncer ESET August 2023)", "meta": { "external_id": "S1090", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1090", "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" ], "synonyms": [ "NightClub" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "91c57ed3-7c32-4c68-b388-7db00cb8dac6", "value": "NightClub - S1090" }, { "description": "[Epic](https://attack.mitre.org/software/S0091) is a backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010). (Citation: Kaspersky Turla)", "meta": { "external_id": "S0091", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0091", "https://securelist.com/the-epic-turla-operation/65545/" ], "synonyms": [ "Epic", "Tavdig", "Wipbot", "WorldCupSec", "TadjMakhal" ] }, "related": [ { "dest-uuid": "0042a9f5-f053-4769-b3ef-9ad018dfa298", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "36c0faf0-428e-4e7f-93c5-824bb0495ac9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "6b6cf608-cc2c-40d7-8500-afca3e35e7e4", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", "value": "Epic - S0091" }, { "description": "[Regin](https://attack.mitre.org/software/S0019) is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some [Regin](https://attack.mitre.org/software/S0019) timestamps date back to 2003. (Citation: Kaspersky Regin)", "meta": { "external_id": "S0019", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0019", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf" ], "synonyms": [ "Regin" ] }, "related": [ { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0cf21558-1217-4d36-9536-2919cfd44825", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "type": "uses" }, { "dest-uuid": "4cbe9373-6b5e-42d0-9750-e0b7fc0d58bb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "type": "uses" }, { "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "type": "uses" }, { "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfebc3b7-d19d-450b-81c7-6dafe4184c04", "type": "uses" }, { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "type": "uses" } ], "uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", "value": "Regin - S0019" }, { "description": "[Chaos](https://attack.mitre.org/software/S0220) is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets. (Citation: Chaos Stolen Backdoor)", "meta": { "external_id": "S0220", "mitre_platforms": [ "Linux" ], "refs": [ "http://gosecure.net/2018/02/14/chaos-stolen-backdoor-rising/", "https://attack.mitre.org/software/S0220" ], "synonyms": [ "Chaos" ] }, "related": [ { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", "type": "uses" }, { "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", "type": "uses" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" } ], "uuid": "5bcd5511-6756-4824-a692-e8bb109364af", "value": "Chaos - S0220" }, { "description": "[Uroburos](https://attack.mitre.org/software/S0022) is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the [Turla](https://attack.mitre.org/groups/G0010) toolset to collect intelligence on sensitive targets worldwide. [Uroburos](https://attack.mitre.org/software/S0022) has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. [Uroburos](https://attack.mitre.org/software/S0022) is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. [Uroburos](https://attack.mitre.org/software/S0022) has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)(Citation: Kaspersky Turla)", "meta": { "external_id": "S0022", "mitre_platforms": [ "Linux", "Windows", "macOS" ], "refs": [ "https://attack.mitre.org/software/S0022", "https://securelist.com/the-epic-turla-operation/65545/", "https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf" ], "synonyms": [ "Uroburos", "Snake" ] }, "related": [ { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "22332d52-c0c2-443c-9ffb-f08c0d23722c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", "type": "uses" }, { "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", "type": "uses" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "type": "uses" }, { "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, { "dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfebc3b7-d19d-450b-81c7-6dafe4184c04", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade", "type": "uses" } ], "uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", "value": "Uroburos - S0022" }, { "description": "[adbupd](https://attack.mitre.org/software/S0202) is a backdoor used by [PLATINUM](https://attack.mitre.org/groups/G0068) that is similar to [Dipsind](https://attack.mitre.org/software/S0200). (Citation: Microsoft PLATINUM April 2016)", "meta": { "external_id": "S0202", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0202", "https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" ], "synonyms": [ "adbupd" ] }, "related": [ { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" } ], "uuid": "0f1ad2ef-41d4-4b7a-9304-ddae68ea3005", "value": "adbupd - S0202" }, { "description": "[CHOPSTICK](https://attack.mitre.org/software/S0023) is a malware family of modular backdoors used by [APT28](https://attack.mitre.org/groups/G0007). It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. (Citation: FireEye APT28) (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) (Citation: DOJ GRU Indictment Jul 2018) It is tracked separately from the [X-Agent for Android](https://attack.mitre.org/software/S0314).", "meta": { "external_id": "S0023", "mitre_platforms": [ "Windows", "Linux" ], "refs": [ "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://attack.mitre.org/software/S0023", "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", "https://www.justice.gov/file/1080281/download", "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" ], "synonyms": [ "CHOPSTICK", "Backdoor.SofacyX", "SPLM", "Xagent", "X-Agent", "webhp" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0a32ceea-fa66-47ab-8bde-150dbd6d2e40", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "3e2c99f9-66cd-48be-86e9-d7c1c164d87c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" } ], "uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", "value": "CHOPSTICK - S0023" }, { "description": "[DroidJack](https://attack.mitre.org/software/S0320) is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. (Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)", "meta": { "external_id": "S0320", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0320", "https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app", "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat" ], "synonyms": [ "DroidJack" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" } ], "uuid": "05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "value": "DroidJack - S0320" }, { "description": "[Hydraq](https://attack.mitre.org/software/S0203) is a data-theft trojan first used by [Elderwood](https://attack.mitre.org/groups/G0066) in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including [APT17](https://attack.mitre.org/groups/G0025).(Citation: MicroFocus 9002 Aug 2016)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: ASERT Seven Pointed Dagger Aug 2015)(Citation: FireEye DeputyDog 9002 November 2013)(Citation: ProofPoint GoT 9002 Aug 2017)(Citation: FireEye Sunshop Campaign May 2013)(Citation: PaloAlto 3102 Sept 2015)", "meta": { "external_id": "S0203", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0203", "https://community.softwaregrp.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/228686#.WosBVKjwZPZ", "https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/", "https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf", "https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html", "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html", "https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures", "https://www.symantec.com/connect/blogs/trojanhydraq-incident" ], "synonyms": [ "Hydraq", "Roarur", "MdmBot", "HomeUnix", "Homux", "HidraQ", "HydraQ", "McRat", "Aurora", "9002 RAT" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2f899e3e-1a46-43ea-8e68-140603ce943d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "70c31066-237a-11e8-8eff-37ef1ad0c703", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "bab647d7-c9d6-4697-8fd2-1295c7429e1f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" } ], "uuid": "73a4793a-ce55-4159-b2a6-208ef29b326f", "value": "Hydraq - S0203" }, { "description": "[ZeroT](https://attack.mitre.org/software/S0230) is a Trojan used by [TA459](https://attack.mitre.org/groups/G0062), often in conjunction with [PlugX](https://attack.mitre.org/software/S0013). (Citation: Proofpoint TA459 April 2017) (Citation: Proofpoint ZeroT Feb 2017)", "meta": { "external_id": "S0230", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0230", "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx", "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts" ], "synonyms": [ "ZeroT" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "9b0aa458-dfa9-48af-87ea-c36d1501376c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235", "type": "uses" }, { "dest-uuid": "ff00fa92-b32e-46b6-88ca-98357ebe3f54", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "4ab44516-ad75-4e43-a280-705dc0420e2f", "value": "ZeroT - S0230" }, { "description": "[Twitoor](https://attack.mitre.org/software/S0302) is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)", "meta": { "external_id": "S0302", "mitre_platforms": [ "Android" ], "refs": [ "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/", "https://attack.mitre.org/software/S0302" ], "synonyms": [ "Twitoor" ] }, "related": [ { "dest-uuid": "d916f176-a1ca-4a78-9fdd-4058bc28162e", "type": "uses" }, { "dest-uuid": "ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", "type": "uses" }, { "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "type": "uses" } ], "uuid": "41e3fd01-7b83-471f-835d-d2b1dc9a770c", "value": "Twitoor - S0302" }, { "description": "[Get2](https://attack.mitre.org/software/S0460) is a downloader written in C++ that has been used by [TA505](https://attack.mitre.org/groups/G0092) to deliver [FlawedGrace](https://attack.mitre.org/software/S0383), [FlawedAmmyy](https://attack.mitre.org/software/S0381), Snatch and [SDBbot](https://attack.mitre.org/software/S0461).(Citation: Proofpoint TA505 October 2019)", "meta": { "external_id": "S0460", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0460", "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" ], "synonyms": [ "Get2" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "099ecff2-41b8-436d-843c-038a9aa9aa69", "value": "Get2 - S0460" }, { "description": "[LOWBALL](https://attack.mitre.org/software/S0042) is malware used by [admin@338](https://attack.mitre.org/groups/G0018). It was used in August 2015 in email messages targeting Hong Kong-based media organizations. (Citation: FireEye admin@338)", "meta": { "external_id": "S0042", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0042", "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" ], "synonyms": [ "LOWBALL" ] }, "related": [ { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", "value": "LOWBALL - S0042" }, { "description": "[ROKRAT](https://attack.mitre.org/software/S0240) is a cloud-based remote access tool (RAT) used by [APT37](https://attack.mitre.org/groups/G0067) to target victims in South Korea. [APT37](https://attack.mitre.org/groups/G0067) has used ROKRAT during several campaigns from 2016 through 2021.(Citation: Talos ROKRAT)(Citation: Talos Group123)(Citation: Volexity InkySquid RokRAT August 2021)", "meta": { "external_id": "S0240", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0240", "https://blog.talosintelligence.com/2017/04/introducing-rokrat.html", "https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html", "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/" ], "synonyms": [ "ROKRAT" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f244b8dd-af6c-4391-a497-fc03627ce995", "type": "uses" } ], "uuid": "60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", "value": "ROKRAT - S0240" }, { "description": "[Briba](https://attack.mitre.org/software/S0204) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor and download files on to compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Briba May 2012)", "meta": { "external_id": "S0204", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0204", "https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-2843-99" ], "synonyms": [ "Briba" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "79499993-a8d6-45eb-b343-bf58dea5bdde", "value": "Briba - S0204" }, { "description": "[Dvmap](https://attack.mitre.org/software/S0420) is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.(Citation: SecureList DVMap June 2017)", "meta": { "external_id": "S0420", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0420", "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" ], "synonyms": [ "Dvmap" ] }, "related": [ { "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", "type": "uses" }, { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "c6e17ca2-08b5-4379-9786-89bd05241831", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", "type": "uses" } ], "uuid": "22b596a6-d288-4409-8520-5f2846f85514", "value": "Dvmap - S0420" }, { "description": "[Dyre](https://attack.mitre.org/software/S0024) is a banking Trojan that has been used for financial gain. \n (Citation: Symantec Dyre June 2015)(Citation: Malwarebytes Dyreza November 2015)", "meta": { "external_id": "S0024", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dyre-emerging-threat.pdf", "https://attack.mitre.org/software/S0024", "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/", "https://nakedsecurity.sophos.com/2015/04/20/notes-from-sophoslabs-dyreza-the-malware-that-discriminates-against-old-computers/" ], "synonyms": [ "Dyre", "Dyzap", "Dyreza" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "15e969e6-f031-4441-a49b-f401332e4b00", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1ecbcd20-f238-47ef-874b-08ef93266395", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe", "value": "Dyre - S0024" }, { "description": "[CALENDAR](https://attack.mitre.org/software/S0025) is malware used by [APT1](https://attack.mitre.org/groups/G0006) that mimics legitimate Gmail Calendar traffic. (Citation: Mandiant APT1)", "meta": { "external_id": "S0025", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0025", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" ], "synonyms": [ "CALENDAR" ] }, "related": [ { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e2c18713-0a95-4092-a0e9-76358512daad", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283", "value": "CALENDAR - S0025" }, { "description": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.(Citation: US-CERT BLINDINGCAN Aug 2020)(Citation: NHS UK BLINDINGCAN Aug 2020)", "meta": { "external_id": "S0520", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0520", "https://digital.nhs.uk/cyber-alerts/2020/cc-3603", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" ], "synonyms": [ "BLINDINGCAN" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "01dbc71d-0ee8-420d-abb4-3dfb6a4bf725", "value": "BLINDINGCAN - S0520" }, { "description": "[OnionDuke](https://attack.mitre.org/software/S0052) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2013 to 2015. (Citation: F-Secure The Dukes)", "meta": { "external_id": "S0052", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0052", "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" ], "synonyms": [ "OnionDuke" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "9c99724c-a483-4d60-ad9d-7f004e42e8e8", "type": "uses" }, { "dest-uuid": "abd10caa-7d4c-4c22-8dae-8d32f13232d7", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "c675646d-e204-4aa8-978d-e3d6d65885c4", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", "value": "OnionDuke - S0052" }, { "description": "[Drovorub](https://attack.mitre.org/software/S0502) is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by [APT28](https://attack.mitre.org/groups/G0007).(Citation: NSA/FBI Drovorub August 2020)", "meta": { "external_id": "S0502", "mitre_platforms": [ "Linux" ], "refs": [ "https://attack.mitre.org/software/S0502", "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" ], "synonyms": [ "Drovorub" ] }, "related": [ { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" } ], "uuid": "99164b38-1775-40bc-b77b-a2373b14540a", "value": "Drovorub - S0502" }, { "description": "[Naid](https://attack.mitre.org/software/S0205) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Naid June 2012)", "meta": { "external_id": "S0205", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0205", "https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", "https://www.symantec.com/security_response/writeup.jsp?docid=2012-061518-4639-99" ], "synonyms": [ "Naid" ] }, "related": [ { "dest-uuid": "170db76b-93f7-4fd1-97fc-55937c079b66", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" } ], "uuid": "48523614-309e-43bf-a2b8-705c2b45d7b2", "value": "Naid - S0205" }, { "description": "[GLOOXMAIL](https://attack.mitre.org/software/S0026) is malware used by [APT1](https://attack.mitre.org/groups/G0006) that mimics legitimate Jabber/XMPP traffic. (Citation: Mandiant APT1)", "meta": { "external_id": "S0026", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0026", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" ], "synonyms": [ "GLOOXMAIL", "Trojan.GTALK" ] }, "related": [ { "dest-uuid": "a379f09b-5cec-4bdb-9735-125cef2de073", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" } ], "uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2", "value": "GLOOXMAIL - S0026" }, { "description": "[Circles](https://attack.mitre.org/software/S0602) reportedly takes advantage of Signaling System 7 (SS7) weaknesses, the protocol suite used to route phone calls, to both track the location of mobile devices and intercept voice calls and SMS messages. It can be connected to a telecommunications company’s infrastructure or purchased as a cloud service. Circles has reportedly been linked to the NSO Group.(Citation: CitizenLab Circles)", "meta": { "external_id": "S0602", "refs": [ "https://attack.mitre.org/software/S0602", "https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/" ], "synonyms": [ "Circles" ] }, "related": [ { "dest-uuid": "0f4fb01b-d57a-4375-b7a2-342c9d3248f7", "type": "uses" } ], "uuid": "c6a07c89-a24c-4c7e-9e3e-6153cc595e24", "value": "Circles - S0602" }, { "description": "[DustySky](https://attack.mitre.org/software/S0062) is multi-stage malware written in .NET that has been used by [Molerats](https://attack.mitre.org/groups/G0021) since May 2015. (Citation: DustySky) (Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)", "meta": { "external_id": "S0062", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf", "https://attack.mitre.org/software/S0062", "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/", "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf" ], "synonyms": [ "DustySky", "NeD Worm" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "eedcf785-d011-4e17-96c4-6ff39138ada0", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" } ], "uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", "value": "DustySky - S0062" }, { "description": "[InvisiMole](https://attack.mitre.org/software/S0260) is a modular spyware program that has been used by the InvisiMole Group since at least 2013. [InvisiMole](https://attack.mitre.org/software/S0260) has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. [Gamaredon Group](https://attack.mitre.org/groups/G0047) infrastructure has been used to download and execute [InvisiMole](https://attack.mitre.org/software/S0260) against a small number of victims.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "meta": { "external_id": "S0260", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0260", "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" ], "synonyms": [ "InvisiMole" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "type": "uses" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", "type": "uses" }, { "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", "type": "uses" }, { "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb2cb5cb-ae87-4de0-8c35-da2a17aafb99", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f244b8dd-af6c-4391-a497-fc03627ce995", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" } ], "uuid": "47afe41c-4c08-485e-b062-c3bd209a1cce", "value": "InvisiMole - S0260" }, { "description": "[Wiarp](https://attack.mitre.org/software/S0206) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Wiarp May 2012)", "meta": { "external_id": "S0206", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0206", "https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-1005-99" ], "synonyms": [ "Wiarp" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "039814a0-88de-46c5-a4fb-b293db21880a", "value": "Wiarp - S0206" }, { "description": "[OwaAuth](https://attack.mitre.org/software/S0072) is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by [Threat Group-3390](https://attack.mitre.org/groups/G0027). (Citation: Dell TG-3390)", "meta": { "external_id": "S0072", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0072", "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" ], "synonyms": [ "OwaAuth" ] }, "related": [ { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", "value": "OwaAuth - S0072" }, { "description": "[RogueRobin](https://attack.mitre.org/software/S0270) is a payload used by [DarkHydrus](https://attack.mitre.org/groups/G0079) that has been developed in PowerShell and C#. (Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)", "meta": { "external_id": "S0270", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0270", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", "https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/" ], "synonyms": [ "RogueRobin" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "8ec6e3b4-b06d-4805-b6aa-af916acc2122", "value": "RogueRobin - S0270" }, { "description": "[Vasport](https://attack.mitre.org/software/S0207) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Vasport May 2012)", "meta": { "external_id": "S0207", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0207", "https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-5938-99" ], "synonyms": [ "Vasport" ] }, "related": [ { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "f4d8a2d6-c684-453a-8a14-cf4a94f755c5", "value": "Vasport - S0207" }, { "description": "[Zeroaccess](https://attack.mitre.org/software/S0027) is a kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that attempts to add victims to the ZeroAccess botnet, often for monetary gain. (Citation: Sophos ZeroAccess)", "meta": { "external_id": "S0027", "refs": [ "https://attack.mitre.org/software/S0027", "https://sophosnews.files.wordpress.com/2012/04/zeroaccess2.pdf" ] }, "related": [ { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "type": "uses" } ], "uuid": "552462b9-ae79-49dd-855c-5973014e157f", "value": "Zeroaccess - S0027" }, { "description": "[SHIPSHAPE](https://attack.mitre.org/software/S0028) is malware developed by [APT30](https://attack.mitre.org/groups/G0013) that allows propagation and exfiltration of data over removable devices. [APT30](https://attack.mitre.org/groups/G0013) may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)", "meta": { "external_id": "S0028", "refs": [ "https://attack.mitre.org/software/S0028", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ] }, "related": [ { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" } ], "uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a", "value": "SHIPSHAPE - S0028" }, { "description": "[Emissary](https://attack.mitre.org/software/S0082) is a Trojan that has been used by [Lotus Blossom](https://attack.mitre.org/groups/G0030). It shares code with [Elise](https://attack.mitre.org/software/S0081), with both Trojans being part of a malware group referred to as LStudio. (Citation: Lotus Blossom Dec 2015)", "meta": { "external_id": "S0082", "mitre_platforms": [ "Windows" ], "refs": [ "http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/", "https://attack.mitre.org/software/S0082" ], "synonyms": [ "Emissary" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", "value": "Emissary - S0082" }, { "description": "[MirageFox](https://attack.mitre.org/software/S0280) is a remote access tool used against Windows systems. It appears to be an upgraded version of a tool known as Mirage, which is a RAT believed to originate in 2012. (Citation: APT15 Intezer June 2018)", "meta": { "external_id": "S0280", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0280", "https://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" ], "synonyms": [ "MirageFox" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" } ], "uuid": "e3cedcfe-6515-4348-af65-7f2c4157bf0d", "value": "MirageFox - S0280" }, { "description": "[Pasam](https://attack.mitre.org/software/S0208) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Pasam May 2012)", "meta": { "external_id": "S0208", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0208", "https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", "https://www.symantec.com/security_response/writeup.jsp?docid=2012-050412-4128-99" ], "synonyms": [ "Pasam" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", "type": "uses" } ], "uuid": "e811ff6a-4cef-4856-a6ae-a7daf9ed39ae", "value": "Pasam - S0208" }, { "description": "", "meta": { "external_id": "S0209", "refs": [ "https://attack.mitre.org/software/S0209" ] }, "related": [ { "dest-uuid": "81ca4876-b4a4-43e9-b8a9-8a88709dd3d2", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "revoked-by" } ], "revoked": true, "uuid": "310f437b-29e7-4844-848c-7220868d074a", "value": "Darkmoon - S0209" }, { "description": "[Gooligan](https://attack.mitre.org/software/S0290) is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. [Gooligan](https://attack.mitre.org/software/S0290) has been described as part of the Ghost Push Android malware family. (Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)", "meta": { "external_id": "S0290", "mitre_platforms": [ "Android" ], "refs": [ "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/", "https://attack.mitre.org/software/S0290", "https://blog.lookout.com/blog/2016/12/01/ghost-push-gooligan/", "https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi" ], "synonyms": [ "Gooligan", "Ghost Push" ] }, "related": [ { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "type": "uses" }, { "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" } ], "uuid": "20d56cd6-8dff-4871-9889-d32d254816de", "value": "Gooligan - S0290" }, { "description": "[MazarBOT](https://attack.mitre.org/software/S0303) is Android malware that was distributed via SMS in Denmark in 2016. (Citation: Tripwire-MazarBOT)", "meta": { "external_id": "S0303", "refs": [ "https://attack.mitre.org/software/S0303", "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/" ] }, "related": [ { "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" } ], "uuid": "5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", "value": "MazarBOT - S0303" }, { "description": "[NetTraveler](https://attack.mitre.org/software/S0033) is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013. (Citation: Kaspersky NetTraveler)", "meta": { "external_id": "S0033", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf", "https://attack.mitre.org/software/S0033" ], "synonyms": [ "NetTraveler" ] }, "related": [ { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "3a26ee44-3224-48f3-aefb-3978c972d928", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "59b70721-6fed-4805-afa5-4ff2554bef81", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e", "value": "NetTraveler - S0033" }, { "description": "[BUBBLEWRAP](https://attack.mitre.org/software/S0043) is a full-featured, second-stage backdoor used by the [admin@338](https://attack.mitre.org/groups/G0018) group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. (Citation: FireEye admin@338)", "meta": { "external_id": "S0043", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0043", "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" ], "synonyms": [ "BUBBLEWRAP", "Backdoor.APT.FakeWinHTTPHelper" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", "value": "BUBBLEWRAP - S0043" }, { "description": "[NETEAGLE](https://attack.mitre.org/software/S0034) is a backdoor developed by [APT30](https://attack.mitre.org/groups/G0013) with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.” (Citation: FireEye APT30)", "meta": { "external_id": "S0034", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0034", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [ "NETEAGLE" ] }, "related": [ { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "type": "uses" }, { "dest-uuid": "3bb8052e-8ed2-48e3-a2cf-7358bae8c6b5", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" } ], "uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", "value": "NETEAGLE - S0034" }, { "description": "[Octopus](https://attack.mitre.org/software/S0340) is a Windows Trojan written in the Delphi programming language that has been used by [Nomadic Octopus](https://attack.mitre.org/groups/G0133) to target government organizations in Central Asia since at least 2014.(Citation: Securelist Octopus Oct 2018)(Citation: Security Affairs DustSquad Oct 2018)(Citation: ESET Nomadic Octopus 2018) ", "meta": { "external_id": "S0340", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0340", "https://securelist.com/octopus-infested-seas-of-central-asia/88200/", "https://securityaffairs.co/wordpress/77165/apt/russia-linked-apt-dustsquad.html", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf" ], "synonyms": [ "Octopus" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "e2031fd5-02c2-43d4-85e2-b64f474530c2", "value": "Octopus - S0340" }, { "description": "[Riltok](https://attack.mitre.org/software/S0403) is banking malware that uses phishing popups to collect user credentials.(Citation: Kaspersky Riltok June 2019)", "meta": { "external_id": "S0403", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0403", "https://securelist.com/mobile-banker-riltok/91374/" ], "synonyms": [ "Riltok" ] }, "related": [ { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" } ], "uuid": "c0efbaae-9e7d-4716-a92d-68373aac7424", "value": "Riltok - S0403" }, { "description": "[SPACESHIP](https://attack.mitre.org/software/S0035) is malware developed by [APT30](https://attack.mitre.org/groups/G0013) that allows propagation and exfiltration of data over removable devices. [APT30](https://attack.mitre.org/groups/G0013) may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)", "meta": { "external_id": "S0035", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0035", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [ "SPACESHIP" ] }, "related": [ { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829", "type": "uses" } ], "uuid": "8b880b41-5139-4807-baa9-309690218719", "value": "SPACESHIP - S0035" }, { "description": "[SeaDuke](https://attack.mitre.org/software/S0053) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with [CozyCar](https://attack.mitre.org/software/S0046). (Citation: F-Secure The Dukes)", "meta": { "external_id": "S0053", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0053", "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" ], "synonyms": [ "SeaDuke", "SeaDaddy", "SeaDesk" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1d07212e-6292-40a4-a5e9-30aef83b6207", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", "type": "uses" }, { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", "value": "SeaDuke - S0053" }, { "description": "[FrameworkPOS](https://attack.mitre.org/software/S0503) is a point of sale (POS) malware used by [FIN6](https://attack.mitre.org/groups/G0037) to steal payment card data from sytems that run physical POS devices.(Citation: SentinelOne FrameworkPOS September 2019)", "meta": { "external_id": "S0503", "refs": [ "https://attack.mitre.org/software/S0503", "https://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/" ], "synonyms": [ "FrameworkPOS", "Trinity" ] }, "related": [ { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "type": "uses" } ], "uuid": "1cdbbcab-903a-414d-8eb0-439a97343737", "value": "FrameworkPOS - S0503" }, { "description": "[Melcoz](https://attack.mitre.org/software/S0530) is a banking trojan family built from the open source tool Remote Access PC. [Melcoz](https://attack.mitre.org/software/S0530) was first observed in attacks in Brazil and since 2018 has spread to Chile, Mexico, Spain, and Portugal.(Citation: Securelist Brazilian Banking Malware July 2020)", "meta": { "external_id": "S0530", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0530", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" ], "synonyms": [ "Melcoz" ] }, "related": [ { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, { "dest-uuid": "3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5", "type": "uses" }, { "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "d3105fb5-c494-4fd1-a7be-414eab9e0c96", "value": "Melcoz - S0530" }, { "description": "[zwShell](https://attack.mitre.org/software/S0350) is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during [Night Dragon](https://attack.mitre.org/campaigns/C0002).(Citation: McAfee Night Dragon)", "meta": { "external_id": "S0350", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0350", "https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" ], "synonyms": [ "zwShell" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" } ], "uuid": "54e8672d-5338-4ad1-954a-a7c986bee530", "value": "zwShell - S0350" }, { "description": "[BONDUPDATER](https://attack.mitre.org/software/S0360) is a PowerShell backdoor used by [OilRig](https://attack.mitre.org/groups/G0049). It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig Sep 2018)", "meta": { "external_id": "S0360", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0360", "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/", "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" ], "synonyms": [ "BONDUPDATER" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "d5268dfb-ae2b-4e0e-ac07-02a460613d8a", "value": "BONDUPDATER - S0360" }, { "description": "[FLASHFLOOD](https://attack.mitre.org/software/S0036) is malware developed by [APT30](https://attack.mitre.org/groups/G0013) that allows propagation and exfiltration of data over removable devices. [APT30](https://attack.mitre.org/groups/G0013) may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)", "meta": { "external_id": "S0036", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0036", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [ "FLASHFLOOD" ] }, "related": [ { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" } ], "uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", "value": "FLASHFLOOD - S0036" }, { "description": "[SHOTPUT](https://attack.mitre.org/software/S0063) is a custom backdoor used by [APT3](https://attack.mitre.org/groups/G0022). (Citation: FireEye Clandestine Wolf)", "meta": { "external_id": "S0063", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0063", "https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html", "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html" ], "synonyms": [ "SHOTPUT", "Backdoor.APT.CookieCutter", "Pirpi" ] }, "related": [ { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "4859330d-c6a5-4b9c-b45b-536ec983cd4a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" } ], "uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", "value": "SHOTPUT - S0063" }, { "description": "[Nebulae](https://attack.mitre.org/software/S0630) Is a backdoor that has been used by [Naikon](https://attack.mitre.org/groups/G0019) since at least 2020.(Citation: Bitdefender Naikon April 2021)", "meta": { "external_id": "S0630", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0630", "https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" ], "synonyms": [ "Nebulae" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "22b17791-45bf-45c0-9322-ff1a0af5cf2b", "value": "Nebulae - S0630" }, { "description": "[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) ", "meta": { "external_id": "S0603", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0603", "https://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01", "https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf", "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf", "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" ], "synonyms": [ "Stuxnet", "W32.Stuxnet" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", "type": "uses" }, { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" }, { "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", "type": "uses" } ], "uuid": "088f1d6e-0783-47c6-9923-9c79b2af43d4", "value": "Stuxnet - S0603" }, { "description": "[HAMMERTOSS](https://attack.mitre.org/software/S0037) is a backdoor that was used by [APT29](https://attack.mitre.org/groups/G0016) in 2015. (Citation: FireEye APT29) (Citation: F-Secure The Dukes)", "meta": { "external_id": "S0037", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0037", "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf" ], "synonyms": [ "HAMMERTOSS", "HammerDuke", "NetDuke" ] }, "related": [ { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9c99724c-a483-4d60-ad9d-7f004e42e8e8", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235", "type": "uses" } ], "uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", "value": "HAMMERTOSS - S0037" }, { "description": "[ASPXSpy](https://attack.mitre.org/software/S0073) is a Web shell. It has been modified by [Threat Group-3390](https://attack.mitre.org/groups/G0027) actors to create the ASPXTool version. (Citation: Dell TG-3390)", "meta": { "external_id": "S0073", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0073", "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" ], "synonyms": [ "ASPXSpy", "ASPXTool" ] }, "related": [ { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" } ], "uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", "value": "ASPXSpy - S0073" }, { "description": "[SamSam](https://attack.mitre.org/software/S0370) is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.(Citation: US-CERT SamSam 2018)(Citation: Talos SamSam Jan 2018)(Citation: Sophos SamSam Apr 2018)(Citation: Symantec SamSam Oct 2018)", "meta": { "external_id": "S0370", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0370", "https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf", "https://www.symantec.com/blogs/threat-intelligence/samsam-targeted-ransomware-attacks", "https://www.us-cert.gov/ncas/alerts/AA18-337A" ], "synonyms": [ "SamSam", "Samas" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" } ], "uuid": "4d56e6e9-1a6d-46e3-896c-dfdf3cc96e62", "value": "SamSam - S0370" }, { "description": "[StoneDrill](https://attack.mitre.org/software/S0380) is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with [APT33](https://attack.mitre.org/groups/G0064).(Citation: FireEye APT33 Sept 2017)(Citation: Kaspersky StoneDrill 2017)", "meta": { "external_id": "S0380", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0380", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" ], "synonyms": [ "StoneDrill", "DROPSHOT" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac", "type": "uses" } ], "uuid": "8dbadf80-468c-4a62-b817-4e4d8b606887", "value": "StoneDrill - S0380" }, { "description": "[Duqu](https://attack.mitre.org/software/S0038) is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu)", "meta": { "external_id": "S0038", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0038", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf" ], "synonyms": [ "Duqu" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "type": "uses" }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "809b54c3-dd6a-4ec9-8c3a-a27b9baa6732", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "type": "uses" }, { "dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" } ], "uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "value": "Duqu - S0038" }, { "description": "[Misdat](https://attack.mitre.org/software/S0083) is a backdoor that was used in [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) from 2010 to 2011.(Citation: Cylance Dust Storm)", "meta": { "external_id": "S0083", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0083", "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" ], "synonyms": [ "Misdat" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d1597713-fe7a-45bd-8b59-1a13c7e097d8", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", "value": "Misdat - S0083" }, { "description": "[Adups](https://attack.mitre.org/software/S0309) is software that was pre-installed onto Android devices, including those made by BLU Products. The software was reportedly designed to help a Chinese phone manufacturer monitor user behavior, transferring sensitive data to a Chinese server. (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)", "meta": { "external_id": "S0309", "refs": [ "http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534", "https://attack.mitre.org/software/S0309", "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html" ] }, "related": [ { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "9558a84e-2d5e-4872-918e-d847494a8ffc", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" } ], "uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "value": "Adups - S0309" }, { "description": "[SQLRat](https://attack.mitre.org/software/S0390) is malware that executes SQL scripts to avoid leaving traditional host artifacts. [FIN7](https://attack.mitre.org/groups/G0046) has been observed using it.(Citation: Flashpoint FIN 7 March 2019)", "meta": { "external_id": "S0390", "refs": [ "https://attack.mitre.org/software/S0390", "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" ], "synonyms": [ "SQLRat" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "8fc6c9e7-a162-4ca4-a488-f1819e9a7b06", "value": "SQLRat - S0390" }, { "description": "[JHUHUGIT](https://attack.mitre.org/software/S0044) is malware used by [APT28](https://attack.mitre.org/groups/G0007). It is based on Carberp source code and serves as reconnaissance malware. (Citation: Kaspersky Sofacy) (Citation: F-Secure Sofacy 2015) (Citation: ESET Sednit Part 1) (Citation: FireEye APT28 January 2017)", "meta": { "external_id": "S0044", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", "https://attack.mitre.org/software/S0044", "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" ], "synonyms": [ "JHUHUGIT", "Trojan.Sofacy", "Seduploader", "JKEYSKW", "Sednit", "GAMEFISH", "SofacyCarberp" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" } ], "uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", "value": "JHUHUGIT - S0044" }, { "description": "[SHARPSTATS](https://attack.mitre.org/software/S0450) is a .NET backdoor used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2019.(Citation: TrendMicro POWERSTATS V3 June 2019)", "meta": { "external_id": "S0450", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0450", "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/" ], "synonyms": [ "SHARPSTATS" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "73c4711b-407a-449d-b269-e3b1531fe7a9", "value": "SHARPSTATS - S0450" }, { "description": "[ADVSTORESHELL](https://attack.mitre.org/software/S0045) is a spying backdoor that has been used by [APT28](https://attack.mitre.org/groups/G0007) from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 2)", "meta": { "external_id": "S0045", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://attack.mitre.org/software/S0045", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" ], "synonyms": [ "ADVSTORESHELL", "AZZY", "EVILTOSS", "NETUI", "Sedreco" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "21ab9e14-602a-4a76-a308-dbf5d6a91d75", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "6374fc53-9a0d-41ba-b9cf-2a9765d69fbb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "value": "ADVSTORESHELL - S0045" }, { "description": "[Asacub](https://attack.mitre.org/software/S0540) is a banking trojan that attempts to steal money from victims’ bank accounts. It attempts to do this by initiating a wire transfer via SMS message from compromised devices.(Citation: Securelist Asacub)", "meta": { "external_id": "S0540", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0540", "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/" ], "synonyms": [ "Asacub", "Trojan-SMS.AndroidOS.Smaps" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", "type": "uses" }, { "dest-uuid": "52eff1c7-dd30-4121-b762-24ae6fa61bbb", "type": "uses" }, { "dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec", "type": "uses" } ], "uuid": "a76b837b-93cc-417d-bf28-c47a6a284fa4", "value": "Asacub - S0540" }, { "description": "[Anchor](https://attack.mitre.org/software/S0504) is one of a family of backdoor malware that has been used in conjunction with [TrickBot](https://attack.mitre.org/software/S0266) on selected high profile targets since at least 2018.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020)", "meta": { "external_id": "S0504", "mitre_platforms": [ "Linux", "Windows" ], "refs": [ "https://attack.mitre.org/software/S0504", "https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" ], "synonyms": [ "Anchor", "Anchor_DNS" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "type": "uses" } ], "uuid": "5f1d4579-4e8f-48e7-860e-2da773ae432e", "value": "Anchor - S0504" }, { "description": "[CloudDuke](https://attack.mitre.org/software/S0054) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) in 2015. (Citation: F-Secure The Dukes) (Citation: Securelist Minidionis July 2015)", "meta": { "external_id": "S0054", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0054", "https://securelist.com/minidionis-one-more-apt-with-a-usage-of-cloud-drives/71443/", "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" ], "synonyms": [ "CloudDuke", "MiniDionis", "CloudLook" ] }, "related": [ { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "cbf646f1-7db5-4dc6-808b-0094313949df", "value": "CloudDuke - S0054" }, { "description": "[Exodus](https://attack.mitre.org/software/S0405) is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).(Citation: SWB Exodus March 2019)", "meta": { "external_id": "S0405", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0405", "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" ], "synonyms": [ "Exodus", "Exodus One", "Exodus Two" ] }, "related": [ { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "type": "uses" }, { "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "type": "uses" }, { "dest-uuid": "948a447c-d783-4ba0-8516-a64140fcacd5", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "a9fa0d30-a8ff-45bf-922e-7720da0b7922", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec", "type": "uses" } ], "uuid": "3049b2f2-e323-4cdb-91cb-13b37b904cbb", "value": "Exodus - S0405" }, { "description": "[Avaddon](https://attack.mitre.org/software/S0640) is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.(Citation: Awake Security Avaddon)(Citation: Arxiv Avaddon Feb 2021)", "meta": { "external_id": "S0640", "mitre_platforms": [ "Windows" ], "refs": [ "https://arxiv.org/pdf/2102.04796.pdf", "https://attack.mitre.org/software/S0640", "https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/" ], "synonyms": [ "Avaddon" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "58c5a3a1-928f-4094-9e98-a5a4e56dd5f3", "value": "Avaddon - S0640" }, { "description": "[CozyCar](https://attack.mitre.org/software/S0046) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. (Citation: F-Secure The Dukes)", "meta": { "external_id": "S0046", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0046", "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" ], "synonyms": [ "CozyCar", "CozyDuke", "CozyBear", "Cozer", "EuroAPT" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", "value": "CozyCar - S0046" }, { "description": "[ELMER](https://attack.mitre.org/software/S0064) is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by [APT16](https://attack.mitre.org/groups/G0023). (Citation: FireEye EPS Awakens Part 2)", "meta": { "external_id": "S0064", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0064", "https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" ], "synonyms": [ "ELMER" ] }, "related": [ { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", "value": "ELMER - S0064" }, { "description": "[Gustuff](https://attack.mitre.org/software/S0406) is mobile malware designed to steal users' banking and virtual currency credentials.(Citation: Talos Gustuff Apr 2019)", "meta": { "external_id": "S0406", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0406", "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" ], "synonyms": [ "Gustuff" ] }, "related": [ { "dest-uuid": "1d44f529-6fe6-489f-8a01-6261ac43f05e", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "51636761-2e35-44bf-9e56-e337adf97174", "type": "uses" }, { "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "type": "uses" }, { "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "type": "uses" } ], "uuid": "ff8e0c38-be47-410f-a2d3-a3d24a87c617", "value": "Gustuff - S0406" }, { "description": "[Industroyer](https://attack.mitre.org/software/S0604) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) [Industroyer](https://attack.mitre.org/software/S0604) was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018)", "meta": { "external_id": "S0604", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0604", "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf", "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" ], "synonyms": [ "Industroyer", "CRASHOVERRIDE", "Win32/Industroyer" ] }, "related": [ { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", "type": "uses" }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "e401d4fe-f0c9-44f0-98e6-f93487678808", "value": "Industroyer - S0604" }, { "description": "[BBK](https://attack.mitre.org/software/S0470) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)", "meta": { "external_id": "S0470", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0470", "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" ], "synonyms": [ "BBK" ] }, "related": [ { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "f0fc920e-57a3-4af5-89be-9ea594c8b1ea", "value": "BBK - S0470" }, { "description": "[Monokle](https://attack.mitre.org/software/S0407) is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.(Citation: Lookout-Monokle)", "meta": { "external_id": "S0407", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0407", "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" ], "synonyms": [ "Monokle" ] }, "related": [ { "dest-uuid": "08e22979-d320-48ed-8711-e7bf94aabb13", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "type": "uses" }, { "dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "type": "uses" }, { "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", "type": "uses" }, { "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "a9fa0d30-a8ff-45bf-922e-7720da0b7922", "type": "uses" }, { "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "type": "uses" }, { "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "type": "uses" }, { "dest-uuid": "be63612f-a48f-44f2-a7a6-1763509fcf80", "type": "uses" }, { "dest-uuid": "ccde43e4-78f9-4f32-b401-c081e7db71ea", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2c2249a-eb82-4614-8dd4-9c514dde65e2", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "type": "uses" } ], "uuid": "6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "value": "Monokle - S0407" }, { "description": "[Sakula](https://attack.mitre.org/software/S0074) is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015. (Citation: Dell Sakula)", "meta": { "external_id": "S0074", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/", "https://attack.mitre.org/software/S0074" ], "synonyms": [ "Sakula", "Sakurel", "VIPER" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "3eca2d5f-41bf-4ad4-847f-df18befcdc44", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f6c137f0-979c-4ce2-a0e5-2a080a5a1746", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", "value": "Sakula - S0074" }, { "description": "[Cerberus](https://attack.mitre.org/software/S0480) is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of [Cerberus](https://attack.mitre.org/software/S0480) claim was used in private operations for two years.(Citation: Threat Fabric Cerberus)", "meta": { "external_id": "S0480", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0480", "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" ], "synonyms": [ "Cerberus" ] }, "related": [ { "dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3", "type": "uses" }, { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "type": "uses" }, { "dest-uuid": "948a447c-d783-4ba0-8516-a64140fcacd5", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "type": "uses" } ], "uuid": "037f44f0-0c07-4c7f-b40e-0325b5b228a9", "value": "Cerberus - S0480" }, { "description": "[PinchDuke](https://attack.mitre.org/software/S0048) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2008 to 2010. (Citation: F-Secure The Dukes)", "meta": { "external_id": "S0048", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0048", "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" ], "synonyms": [ "PinchDuke" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", "value": "PinchDuke - S0048" }, { "description": "[GeminiDuke](https://attack.mitre.org/software/S0049) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2009 to 2012. (Citation: F-Secure The Dukes)", "meta": { "external_id": "S0049", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0049", "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" ], "synonyms": [ "GeminiDuke" ] }, "related": [ { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "6a28a648-30c0-4d1d-bd67-81a8dc6486ba", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", "value": "GeminiDuke - S0049" }, { "description": "[Machete](https://attack.mitre.org/software/S0409) is a cyber espionage toolset used by [Machete](https://attack.mitre.org/groups/G0095). It is a Python-based backdoor targeting Windows machines that was first observed in 2010.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)(Citation: 360 Machete Sep 2020)", "meta": { "external_id": "S0409", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0409", "https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/", "https://securelist.com/el-machete/66108/", "https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" ], "synonyms": [ "Machete", "Pyark" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", "type": "uses" }, { "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", "type": "uses" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" } ], "uuid": "35cd1d01-1ede-44d2-b073-a264d727bc04", "value": "Machete - S0409" }, { "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.(Citation: Lookout Uyghur Campaign)", "meta": { "external_id": "S0550", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0550", "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" ], "synonyms": [ "DoubleAgent" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "type": "uses" }, { "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1", "type": "uses" }, { "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "type": "uses" } ], "uuid": "3d6c4389-3489-40a3-beda-c56e650b6f68", "value": "DoubleAgent - S0550" }, { "description": "[RARSTONE](https://attack.mitre.org/software/S0055) is malware used by the [Naikon](https://attack.mitre.org/groups/G0019) group that has some characteristics similar to [PlugX](https://attack.mitre.org/software/S0013). (Citation: Aquino RARSTONE)", "meta": { "external_id": "S0055", "mitre_platforms": [ "Windows" ], "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/rarstone-found-in-targeted-attacks/", "https://attack.mitre.org/software/S0055" ], "synonyms": [ "RARSTONE" ] }, "related": [ { "dest-uuid": "5d2dd6ad-6bb2-45d3-b295-e125d3399c8d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "8c553311-0baa-4146-997a-f79acef3d831", "value": "RARSTONE - S0055" }, { "description": "[TEARDROP](https://attack.mitre.org/software/S0560) is a memory-only dropper that was discovered on some victim machines during investigations related to the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024). It was likely used by [APT29](https://attack.mitre.org/groups/G0016) since at least May 2020.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Deep Dive Solorigate January 2021)", "meta": { "external_id": "S0560", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0560", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" ], "synonyms": [ "TEARDROP" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" } ], "uuid": "32f49626-87f4-4d6c-8f59-a0dca953fe26", "value": "TEARDROP - S0560" }, { "description": "[EKANS](https://attack.mitre.org/software/S0605) is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. [EKANS](https://attack.mitre.org/software/S0605) has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in [MegaCortex](https://attack.mitre.org/software/S0576).(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)", "meta": { "external_id": "S0605", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0605", "https://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/", "https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/", "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html" ], "synonyms": [ "EKANS", "SNAKEHOSE" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "00e7d565-9883-4ee5-b642-8fd17fd6a3f5", "value": "EKANS - S0605" }, { "description": "[ViperRAT](https://attack.mitre.org/software/S0506) is sophisticated surveillanceware that has been in operation since at least 2015 and was used to target the Israeli Defense Force.(Citation: Lookout ViperRAT) ", "meta": { "external_id": "S0506", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0506", "https://blog.lookout.com/viperrat-mobile-apt" ], "synonyms": [ "ViperRAT" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" } ], "uuid": "f666e17c-b290-43b3-8947-b96bd5148fbb", "value": "ViperRAT - S0506" }, { "description": "[QakBot](https://attack.mitre.org/software/S0650) is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. [QakBot](https://attack.mitre.org/software/S0650) is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably [ProLock](https://attack.mitre.org/software/S0654) and [Egregor](https://attack.mitre.org/software/S0554).(Citation: Trend Micro Qakbot December 2020)(Citation: Red Canary Qbot)(Citation: Kaspersky QakBot September 2021)(Citation: ATT QakBot April 2021)", "meta": { "external_id": "S0650", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0650", "https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot", "https://redcanary.com/threat-detection-report/threats/qbot/", "https://securelist.com/qakbot-technical-analysis/103931/", "https://success.trendmicro.com/solution/000283381" ], "synonyms": [ "QakBot", "Pinkslipbot", "QuackBot", "QBot" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", "type": "uses" }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" }, { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", "type": "uses" }, { "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "type": "uses" }, { "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d4dc46e3-5ba5-45b9-8204-010867cacfcb", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "edc5e045-5401-42bb-ad92-52b5b2ee0de9", "value": "QakBot - S0650" }, { "description": "[BitPaymer](https://attack.mitre.org/software/S0570) is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. [BitPaymer](https://attack.mitre.org/software/S0570) uses a unique encryption key, ransom note, and contact information for each operation. [BitPaymer](https://attack.mitre.org/software/S0570) has several indicators suggesting overlap with the [Dridex](https://attack.mitre.org/software/S0384) malware and is often delivered via [Dridex](https://attack.mitre.org/software/S0384).(Citation: Crowdstrike Indrik November 2018)", "meta": { "external_id": "S0570", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0570", "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" ], "synonyms": [ "BitPaymer", "wp_encrypt", "FriedEx" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", "type": "uses" }, { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "fa766a65-5136-4ff3-8429-36d08eaa0100", "value": "BitPaymer - S0570" }, { "description": "[eSurv](https://attack.mitre.org/software/S0507) is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.(Citation: Lookout eSurv)", "meta": { "external_id": "S0507", "mitre_platforms": [ "Android", "iOS" ], "refs": [ "https://attack.mitre.org/software/S0507", "https://blog.lookout.com/esurv-research" ], "synonyms": [ "eSurv" ] }, "related": [ { "dest-uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "type": "uses" }, { "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "dfafc230-5465-4993-8dc5-f51fa9fec002", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "e422b6fa-4739-46b9-992e-82f1b350c780", "type": "uses" } ], "uuid": "680f680c-eef9-4f8a-b5f5-f451bf47e403", "value": "eSurv - S0507" }, { "description": "[SslMM](https://attack.mitre.org/software/S0058) is a full-featured backdoor used by [Naikon](https://attack.mitre.org/groups/G0019) that has multiple variants. (Citation: Baumgartner Naikon 2015)", "meta": { "external_id": "S0058", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0058", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" ], "synonyms": [ "SslMM" ] }, "related": [ { "dest-uuid": "009db412-762d-4256-8df9-eb213be01ffd", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" } ], "uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", "value": "SslMM - S0058" }, { "description": "[FakeSpy](https://attack.mitre.org/software/S0509) is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.(Citation: Cybereason FakeSpy)", "meta": { "external_id": "S0509", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0509", "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world" ], "synonyms": [ "FakeSpy" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, { "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", "type": "uses" }, { "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "type": "uses" } ], "uuid": "838f647e-8ff8-48bd-bbd5-613cee7736cb", "value": "FakeSpy - S0509" }, { "description": "[WinMM](https://attack.mitre.org/software/S0059) is a full-featured, simple backdoor used by [Naikon](https://attack.mitre.org/groups/G0019). (Citation: Baumgartner Naikon 2015)", "meta": { "external_id": "S0059", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0059", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" ], "synonyms": [ "WinMM" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "6a100902-7204-4f20-b838-545ed86d4428", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" } ], "uuid": "22addc7b-b39f-483d-979a-1b35147da5de", "value": "WinMM - S0059" }, { "description": "[Clambling](https://attack.mitre.org/software/S0660) is a modular backdoor written in C++ that has been used by [Threat Group-3390](https://attack.mitre.org/groups/G0027) since at least 2017.(Citation: Trend Micro DRBControl February 2020)", "meta": { "external_id": "S0660", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0660", "https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf" ], "synonyms": [ "Clambling" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "6e95feb1-78ee-48d3-b421-4d76663b5c49", "value": "Clambling - S0660" }, { "description": "[WarzoneRAT](https://attack.mitre.org/software/S0670) is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)", "meta": { "external_id": "S0670", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0670", "https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/", "https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique" ], "synonyms": [ "WarzoneRAT", "Warzone", "Ave Maria" ] }, "related": [ { "dest-uuid": "01327cde-66c4-4123-bf34-5f258d59457b", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" } ], "uuid": "fde19a18-e502-467f-be14-58c71b4e7f4b", "value": "WarzoneRAT - S0670" }, { "description": "[KillDisk](https://attack.mitre.org/software/S0607) is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of [BlackEnergy](https://attack.mitre.org/software/S0089) malware during cyber attacks against Ukraine in 2015. [KillDisk](https://attack.mitre.org/software/S0607) has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some [KillDisk](https://attack.mitre.org/software/S0607) variants.(Citation: KillDisk Ransomware)(Citation: ESEST Black Energy Jan 2016)(Citation: Trend Micro KillDisk 1)(Citation: Trend Micro KillDisk 2)", "meta": { "external_id": "S0607", "mitre_platforms": [ "Linux", "Windows" ], "refs": [ "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/", "https://attack.mitre.org/software/S0607", "https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/", "https://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html", "https://www.trendmicro.com/en_us/research/18/f/new-killdisk-variant-hits-latin-american-financial-organizations-again.html" ], "synonyms": [ "KillDisk", "Win32/KillDisk.NBI", "Win32/KillDisk.NBH", "Win32/KillDisk.NBD", "Win32/KillDisk.NBC", "Win32/KillDisk.NBB" ] }, "related": [ { "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, { "dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "type": "uses" }, { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "type": "uses" } ], "uuid": "e221eb77-1502-4129-af1d-fe1ad55e7ec6", "value": "KillDisk - S0607" }, { "description": "[FakeM](https://attack.mitre.org/software/S0076) is a shellcode-based Windows backdoor that has been used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029). (Citation: Scarlet Mimic Jan 2016)", "meta": { "external_id": "S0076", "mitre_platforms": [ "Windows" ], "refs": [ "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/", "https://attack.mitre.org/software/S0076" ], "synonyms": [ "FakeM" ] }, "related": [ { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", "type": "uses" } ], "uuid": "bb3c1098-d654-4620-bf40-694386d28921", "value": "FakeM - S0076" }, { "description": "[pngdowner](https://attack.mitre.org/software/S0067) is malware used by [Putter Panda](https://attack.mitre.org/groups/G0024). It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple \"download-and-\nexecute\" utility. (Citation: CrowdStrike Putter Panda)", "meta": { "external_id": "S0067", "mitre_platforms": [ "Windows" ], "refs": [ "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf", "https://attack.mitre.org/software/S0067" ], "synonyms": [ "pngdowner" ] }, "related": [ { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "fb4313ea-1fb6-4766-8b5c-b41fd347e4c5", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d", "value": "pngdowner - S0067" }, { "description": "[Conficker](https://attack.mitre.org/software/S0608) is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.(Citation: SANS Conficker) In 2016, a variant of [Conficker](https://attack.mitre.org/software/S0608) made its way on computers and removable disk drives belonging to a nuclear power plant.(Citation: Conficker Nuclear Power Plant)", "meta": { "external_id": "S0608", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0608", "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml", "https://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm" ], "synonyms": [ "Conficker", "Kido", "Downadup" ] }, "related": [ { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "58eddbaf-7416-419a-ad7b-e65b9d4c3b55", "value": "Conficker - S0608" }, { "description": "[LitePower](https://attack.mitre.org/software/S0680) is a downloader and second stage malware that has been used by [WIRTE](https://attack.mitre.org/groups/G0090) since at least 2021.(Citation: Kaspersky WIRTE November 2021)", "meta": { "external_id": "S0680", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0680", "https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044" ], "synonyms": [ "LitePower" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "9020f5c7-efde-4125-a4f1-1b70f1274ddd", "value": "LitePower - S0680" }, { "description": "[ZLib](https://attack.mitre.org/software/S0086) is a full-featured backdoor that was used as a second-stage implant during [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) since at least 2014. [ZLib](https://attack.mitre.org/software/S0086) is malware and should not be confused with the legitimate compression library from which its name is derived.(Citation: Cylance Dust Storm)", "meta": { "external_id": "S0086", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0086", "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" ], "synonyms": [ "ZLib" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", "value": "ZLib - S0086" }, { "description": "[httpclient](https://attack.mitre.org/software/S0068) is malware used by [Putter Panda](https://attack.mitre.org/groups/G0024). It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool. (Citation: CrowdStrike Putter Panda)", "meta": { "external_id": "S0068", "mitre_platforms": [ "Windows" ], "refs": [ "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf", "https://attack.mitre.org/software/S0068" ], "synonyms": [ "httpclient" ] }, "related": [ { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", "value": "httpclient - S0068" }, { "description": "[BLACKCOFFEE](https://attack.mitre.org/software/S0069) is malware that has been used by several Chinese groups since at least 2013. (Citation: FireEye APT17) (Citation: FireEye Periscope March 2018)", "meta": { "external_id": "S0069", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0069", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf" ], "synonyms": [ "BLACKCOFFEE" ] }, "related": [ { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" } ], "uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", "value": "BLACKCOFFEE - S0069" }, { "description": "This entry was deprecated as it was inadvertently added to Enterprise; a similar Software entry was created for ATT&CK for ICS.\n\n[TRITON](https://attack.mitre.org/software/S0609) is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. [TRITON](https://attack.mitre.org/software/S0609) was deployed against at least one target in the Middle East. (Citation: FireEye TRITON 2017)(Citation: FireEye TRITON 2018)(Citation: Dragos TRISIS)(Citation: CISA HatMan)(Citation: FireEye TEMP.Veles 2018)", "meta": { "external_id": "S0609", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0609", "https://us-cert.cisa.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf", "https://www.dragos.com/wp-content/uploads/TRISIS-01.pdf", "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", "https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-TRITON-and-tristation.html", "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html" ], "synonyms": [ "TRITON", "HatMan", "TRISIS" ] }, "related": [], "uuid": "93ae2edf-a598-4d2d-acd7-bcae0c021923", "value": "TRITON - S0609" }, { "description": "[CallMe](https://attack.mitre.org/software/S0077) is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell. (Citation: Scarlet Mimic Jan 2016)", "meta": { "external_id": "S0077", "mitre_platforms": [ "macOS" ], "refs": [ "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/", "https://attack.mitre.org/software/S0077" ], "synonyms": [ "CallMe" ] }, "related": [ { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", "value": "CallMe - S0077" }, { "description": "[Psylo](https://attack.mitre.org/software/S0078) is a shellcode-based Trojan that has been used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029). It has similar characteristics as [FakeM](https://attack.mitre.org/software/S0076). (Citation: Scarlet Mimic Jan 2016)", "meta": { "external_id": "S0078", "mitre_platforms": [ "Windows" ], "refs": [ "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/", "https://attack.mitre.org/software/S0078" ], "synonyms": [ "Psylo" ] }, "related": [ { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", "value": "Psylo - S0078" }, { "description": "[MobileOrder](https://attack.mitre.org/software/S0079) is a Trojan intended to compromise Android mobile devices. It has been used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029). (Citation: Scarlet Mimic Jan 2016)", "meta": { "external_id": "S0079", "refs": [ "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/", "https://attack.mitre.org/software/S0079" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", "value": "MobileOrder - S0079" }, { "description": "[Kasidet](https://attack.mitre.org/software/S0088) is a backdoor that has been dropped by using malicious VBA macros. (Citation: Zscaler Kasidet)", "meta": { "external_id": "S0088", "mitre_platforms": [ "Windows" ], "refs": [ "http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html", "https://attack.mitre.org/software/S0088" ], "synonyms": [ "Kasidet" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3760920e-4d1a-40d8-9e60-508079499076", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", "value": "Kasidet - S0088" }, { "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. (Citation: F-Secure BlackEnergy 2014)", "meta": { "external_id": "S0089", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0089", "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" ], "synonyms": [ "BlackEnergy", "Black Energy" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "565275d5-fcc3-4b66-b4e7-928e4cac6b8c", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "5a22cad7-65fa-4b7a-a7aa-7915a6101efa", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "82c644ab-550a-4a83-9b35-d545f4719069", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "value": "BlackEnergy - S0089" }, { "description": "[H1N1](https://attack.mitre.org/software/S0132) is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality. (Citation: Cisco H1N1 Part 1)", "meta": { "external_id": "S0132", "mitre_platforms": [ "Windows" ], "refs": [ "http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities", "https://attack.mitre.org/software/S0132" ], "synonyms": [ "H1N1" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", "value": "H1N1 - S0132" }, { "description": "[SLIGHTPULSE](https://attack.mitre.org/software/S1110) is a web shell that was used by [APT5](https://attack.mitre.org/groups/G1023) as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) entities.(Citation: Mandiant Pulse Secure Zero-Day April 2021)", "meta": { "external_id": "S1110", "mitre_platforms": [ "Network", "Linux" ], "refs": [ "https://attack.mitre.org/software/S1110", "https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day" ], "synonyms": [ "SLIGHTPULSE" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "d1008b78-960c-4b36-bdc4-39a734e1e4e3", "value": "SLIGHTPULSE - S1110" }, { "description": "[LoFiSe](https://attack.mitre.org/software/S1101) has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) since at least 2023 to identify and collect files of interest on targeted systems.(Citation: Kaspersky ToddyCat Check Logs October 2023)", "meta": { "external_id": "S1101", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1101", "https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" ], "synonyms": [ "LoFiSe" ] }, "related": [ { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" } ], "uuid": "452da2d9-706c-4185-ad6f-f5edaf4b9f48", "value": "LoFiSe - S1101" }, { "description": "[Tarrask](https://attack.mitre.org/software/S1011) is malware that has been used by [HAFNIUM](https://attack.mitre.org/groups/G0125) since at least August 2021. [Tarrask](https://attack.mitre.org/software/S1011) was designed to evade digital defenses and maintain persistence by generating concealed scheduled tasks.(Citation: Tarrask scheduled task)", "meta": { "external_id": "S1011", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1011", "https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/" ], "synonyms": [ "Tarrask" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" } ], "uuid": "988976ff-beeb-4fb5-b07d-ca7437ea66e8", "value": "Tarrask - S1011" }, { "description": "[FRAMESTING](https://attack.mitre.org/software/S1120) is a Python web shell that was used during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) to embed into an Ivanti Connect Secure Python package for command execution.(Citation: Mandiant Cutting Edge Part 2 January 2024)", "meta": { "external_id": "S1120", "mitre_platforms": [ "Network" ], "refs": [ "https://attack.mitre.org/software/S1120", "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" ], "synonyms": [ "FRAMESTING" ] }, "related": [ { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", "type": "uses" }, { "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "type": "uses" }, { "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "bcaae558-9697-47a2-9ec7-c75000ddf58c", "value": "FRAMESTING - S1120" }, { "description": "[ROCKBOOT](https://attack.mitre.org/software/S0112) is a [Bootkit](https://attack.mitre.org/techniques/T1542/003) that has been used by an unidentified, suspected China-based group. (Citation: FireEye Bootkits)", "meta": { "external_id": "S0112", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0112", "https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html" ], "synonyms": [ "ROCKBOOT" ] }, "related": [ { "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", "type": "uses" } ], "uuid": "cba78a1c-186f-4112-9e6a-be1839f030f7", "value": "ROCKBOOT - S0112" }, { "description": "[DnsSystem](https://attack.mitre.org/software/S1021) is a .NET based DNS backdoor, which is a customized version of the open source tool DIG.net, that has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least June 2022.(Citation: Zscaler Lyceum DnsSystem June 2022)", "meta": { "external_id": "S1021", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1021", "https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor" ], "synonyms": [ "DnsSystem" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "8a2867f9-e8fc-4bf1-a860-ef6e46311900", "value": "DnsSystem - S1021" }, { "description": "[PowerLess](https://attack.mitre.org/software/S1012) is a PowerShell-based modular backdoor that has been used by [Magic Hound](https://attack.mitre.org/groups/G0059) since at least 2022.(Citation: Cybereason PowerLess February 2022)", "meta": { "external_id": "S1012", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1012", "https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage" ], "synonyms": [ "PowerLess" ] }, "related": [ { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "35ee9bf3-264b-4411-8a8f-b58cec8f35e4", "value": "PowerLess - S1012" }, { "description": "[Linfo](https://attack.mitre.org/software/S0211) is a rootkit trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Linfo May 2012)", "meta": { "external_id": "S0211", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0211", "https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051605-2535-99" ], "synonyms": [ "Linfo" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" } ], "uuid": "e9e9bfe2-76f4-4870-a2a1-b7af89808613", "value": "Linfo - S0211" }, { "description": "[Pcexter](https://attack.mitre.org/software/S1102) is an uploader that has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) since at least 2023 to exfiltrate stolen files.(Citation: Kaspersky ToddyCat Check Logs October 2023)", "meta": { "external_id": "S1102", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1102", "https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" ], "synonyms": [ "Pcexter" ] }, "related": [ { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" } ], "uuid": "e4feffc2-53d1-45c9-904e-adb9faca0d15", "value": "Pcexter - S1102" }, { "description": "[PS1](https://attack.mitre.org/software/S0613) is a loader that was used to deploy 64-bit backdoors in the [CostaRicto](https://attack.mitre.org/groups/G0132) campaign.(Citation: BlackBerry CostaRicto November 2020)", "meta": { "external_id": "S0613", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0613", "https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" ], "synonyms": [ "PS1" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "13183cdf-280b-46be-913a-5c6df47831e7", "value": "PS1 - S0613" }, { "description": "[FlixOnline](https://attack.mitre.org/software/S1103) is an Android malware, first detected in early 2021, believed to target users of WhatsApp. [FlixOnline](https://attack.mitre.org/software/S1103) primarily spreads via automatic replies to a device’s incoming WhatsApp messages.(Citation: checkpoint_flixonline_0421) ", "meta": { "external_id": "S1103", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S1103", "https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/" ], "synonyms": [ "FlixOnline" ] }, "related": [ { "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, { "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "type": "uses" }, { "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "type": "uses" } ], "uuid": "0ec9593f-3221-49b1-b597-37f307c19f13", "value": "FlixOnline - S1103" }, { "description": "[TINYTYPHON](https://attack.mitre.org/software/S0131) is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. (Citation: Forcepoint Monsoon)", "meta": { "external_id": "S0131", "refs": [ "https://attack.mitre.org/software/S0131", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" ], "synonyms": [ "TINYTYPHON" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" } ], "uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", "value": "TINYTYPHON - S0131" }, { "description": "[PingPull](https://attack.mitre.org/software/S1031) is a remote access Trojan (RAT) written in Visual C++ that has been used by [GALLIUM](https://attack.mitre.org/groups/G0093) since at least June 2022. [PingPull](https://attack.mitre.org/software/S1031) has been used to target telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.(Citation: Unit 42 PingPull Jun 2022)", "meta": { "external_id": "S1031", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1031", "https://unit42.paloaltonetworks.com/pingpull-gallium/" ], "synonyms": [ "PingPull" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "3a0f6128-0a01-421d-8eca-e57d8671b1f1", "value": "PingPull - S1031" }, { "description": "[Prikormka](https://attack.mitre.org/software/S0113) is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008. (Citation: ESET Operation Groundbait)", "meta": { "external_id": "S0113", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf", "https://attack.mitre.org/software/S0113" ], "synonyms": [ "Prikormka" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "67ade442-63f2-4319-bdcd-d2564b963ed6", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" } ], "uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "value": "Prikormka - S0113" }, { "description": "[YiSpecter](https://attack.mitre.org/software/S0311) is a family of iOS and Android malware, first detected in November 2014, targeting users in mainland China and Taiwan. [YiSpecter](https://attack.mitre.org/software/S0311) abuses private APIs in iOS to infect both jailbroken and non-jailbroken devices.(Citation: paloalto_yispecter_1015)", "meta": { "external_id": "S0311", "mitre_platforms": [ "Android", "iOS" ], "refs": [ "https://attack.mitre.org/software/S0311", "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/" ], "synonyms": [ "YiSpecter" ] }, "related": [ { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "670a4d75-103b-4b14-8a9e-4652fa795edd", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "d3bc5020-f6a2-41c0-8ccb-5e563101b60c", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "type": "uses" }, { "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", "type": "uses" }, { "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", "type": "uses" } ], "uuid": "a15c9357-2be0-4836-beec-594f28b9b4a9", "value": "YiSpecter - S0311" }, { "description": "[ZxxZ](https://attack.mitre.org/software/S1013) is a trojan written in Visual C++ that has been used by [BITTER](https://attack.mitre.org/groups/G1002) since at least August 2021, including against Bangladeshi government personnel.(Citation: Cisco Talos Bitter Bangladesh May 2022)", "meta": { "external_id": "S1013", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1013", "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html" ], "synonyms": [ "ZxxZ" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "97cfbdc6-504d-41e9-a46c-78a9f806ff0d", "value": "ZxxZ - S1013" }, { "description": "[BOOTRASH](https://attack.mitre.org/software/S0114) is a [Bootkit](https://attack.mitre.org/techniques/T1542/003) that targets Windows operating systems. It has been used by threat actors that target the financial sector.(Citation: Mandiant M Trends 2016)(Citation: FireEye Bootkits)(Citation: FireEye BOOTRASH SANS)", "meta": { "external_id": "S0114", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0114", "https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html", "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf", "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498163766.pdf" ], "synonyms": [ "BOOTRASH" ] }, "related": [ { "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", "type": "uses" }, { "dest-uuid": "dfebc3b7-d19d-450b-81c7-6dafe4184c04", "type": "uses" } ], "uuid": "da2ef4a9-7cbe-400a-a379-e2f230f28db3", "value": "BOOTRASH - S0114" }, { "description": "[DanBot](https://attack.mitre.org/software/S1014) is a first-stage remote access Trojan written in C# that has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least 2018.(Citation: SecureWorks August 2019)", "meta": { "external_id": "S1014", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1014", "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" ], "synonyms": [ "DanBot" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01327cde-66c4-4123-bf34-5f258d59457b", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "b8d48deb-450c-44f6-a934-ac8765aa89cb", "value": "DanBot - S1014" }, { "description": "[Chinoxy](https://attack.mitre.org/software/S1041) is a backdoor that has been used since at least November 2018, during the [FunnyDream](https://attack.mitre.org/campaigns/C0007) campaign, to gain persistence and drop additional payloads. According to security researchers, [Chinoxy](https://attack.mitre.org/software/S1041) has been used by Chinese-speaking threat actors.(Citation: Bitdefender FunnyDream Campaign November 2020)", "meta": { "external_id": "S1041", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1041", "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" ], "synonyms": [ "Chinoxy" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" } ], "uuid": "0b639373-5f03-430e-b8f9-2fe8c8faad8e", "value": "Chinoxy - S1041" }, { "description": "[SLOWPULSE](https://attack.mitre.org/software/S1104) is a malware that was used by [APT5](https://attack.mitre.org/groups/G1023) as early as 2020 including against U.S. Defense Industrial Base (DIB) companies. [SLOWPULSE](https://attack.mitre.org/software/S1104) has several variants and can modify legitimate Pulse Secure VPN files in order to log credentials and bypass single and two-factor authentication flows.(Citation: Mandiant Pulse Secure Zero-Day April 2021)", "meta": { "external_id": "S1104", "mitre_platforms": [ "Network" ], "refs": [ "https://attack.mitre.org/software/S1104", "https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day" ], "synonyms": [ "SLOWPULSE" ] }, "related": [ { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b4409cd8-0da9-46e1-a401-a241afd4d1cc", "type": "uses" }, { "dest-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49", "type": "uses" }, { "dest-uuid": "fa44a152-ac48-441e-a524-dd7b04b8adcd", "type": "uses" } ], "uuid": "f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4", "value": "SLOWPULSE - S1104" }, { "description": "[Rotexy](https://attack.mitre.org/software/S0411) is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.(Citation: securelist rotexy 2018)", "meta": { "external_id": "S0411", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0411", "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/" ], "synonyms": [ "Rotexy" ] }, "related": [ { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "type": "uses" }, { "dest-uuid": "acf8fd2a-dc98-43b4-8d37-64e10728e591", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "bb4387ab-7a51-468b-bf5f-a9a8612f0303", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "type": "uses" }, { "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "type": "uses" }, { "dest-uuid": "fd211238-f767-4599-8c0d-9dca36624626", "type": "uses" } ], "uuid": "0626c181-93cb-4860-9cb0-dff3b1c13063", "value": "Rotexy - S0411" }, { "description": "[HALFBAKED](https://attack.mitre.org/software/S0151) is a malware family consisting of multiple components intended to establish persistence in victim networks. (Citation: FireEye FIN7 April 2017)", "meta": { "external_id": "S0151", "refs": [ "https://attack.mitre.org/software/S0151", "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "2815a353-cd56-4ed0-8581-812b94f7a326", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" } ], "uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", "value": "HALFBAKED - S0151" }, { "description": "[COATHANGER](https://attack.mitre.org/software/S1105) is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intrusions against military and government entities in the Netherlands along with other victims, [COATHANGER](https://attack.mitre.org/software/S1105) was disclosed in early 2024, with a high confidence assessment linking this malware to a state-sponsored entity in the People's Republic of China. [COATHANGER](https://attack.mitre.org/software/S1105) is delivered after gaining access to a FortiGate device, with in-the-wild observations linked to exploitation of CVE-2022-42475. The name [COATHANGER](https://attack.mitre.org/software/S1105) is based on a unique string in the malware used to encrypt configuration files on disk: “She took his coat and hung it up”.(Citation: NCSC-NL COATHANGER Feb 2024)", "meta": { "external_id": "S1105", "mitre_platforms": [ "Linux", "Network" ], "refs": [ "https://attack.mitre.org/software/S1105", "https://www.ncsc.nl/binaries/ncsc/documenten/publicaties/2024/februari/6/mivd-aivd-advisory-coathanger-tlp-clear/TLP-CLEAR+MIVD+AIVD+Advisory+COATHANGER.pdf" ], "synonyms": [ "COATHANGER" ] }, "related": [ { "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", "type": "uses" }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", "type": "uses" }, { "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" } ], "uuid": "0c242cc5-58d3-4fe3-a866-b00a4b6fb817", "value": "COATHANGER - S1105" }, { "description": "[Crimson](https://attack.mitre.org/software/S0115) is a remote access Trojan that has been used by [Transparent Tribe](https://attack.mitre.org/groups/G0134) since at least 2016.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)", "meta": { "external_id": "S0115", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0115", "https://securelist.com/transparent-tribe-part-1/98127/", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" ], "synonyms": [ "Crimson", "MSIL/Crimson" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" }, { "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "858edfb8-793a-430b-8acc-4310e7d2f0d3", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "8d8efbc6-d1b7-4ec8-bab3-591edba337d0", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a61fc694-a88a-484d-a648-db35b49932fd", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", "value": "Crimson - S0115" }, { "description": "[RegDuke](https://attack.mitre.org/software/S0511) is a first stage implant written in .NET and used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2017. [RegDuke](https://attack.mitre.org/software/S0511) has been used to control a compromised machine when control of other implants on the machine was lost.(Citation: ESET Dukes October 2019)", "meta": { "external_id": "S0511", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0511", "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" ], "synonyms": [ "RegDuke" ] }, "related": [ { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "47124daf-44be-4530-9c63-038bc64318dd", "value": "RegDuke - S0511" }, { "description": "[KEYPLUG](https://attack.mitre.org/software/S1051) is a modular backdoor written in C++, with Windows and Linux variants, that has been used by [APT41](https://attack.mitre.org/groups/G0096) since at least June 2021.(Citation: Mandiant APT41)", "meta": { "external_id": "S1051", "mitre_platforms": [ "Linux", "Windows" ], "refs": [ "https://attack.mitre.org/software/S1051", "https://www.mandiant.com/resources/apt41-us-state-governments" ], "synonyms": [ "KEYPLUG", "KEYPLUG.LINUX" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" } ], "uuid": "6c575670-d14c-4c7f-9b9d-fd1b363e255d", "value": "KEYPLUG - S1051" }, { "description": "[Milan](https://attack.mitre.org/software/S1015) is a backdoor implant based on [DanBot](https://attack.mitre.org/software/S1014) that was written in Visual C++ and .NET. [Milan](https://attack.mitre.org/software/S1015) has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least June 2020.(Citation: ClearSky Siamesekitten August 2021)(Citation: Kaspersky Lyceum October 2021)", "meta": { "external_id": "S1015", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1015", "https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf", "https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns", "https://www.clearskysec.com/siamesekitten/" ], "synonyms": [ "Milan", "James" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" }, { "dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "aea6d6b8-d832-4c90-a1bb-f52c6684db6c", "value": "Milan - S1015" }, { "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. [AbstractEmu](https://attack.mitre.org/software/S1061) was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.(Citation: lookout_abstractemu_1021)", "meta": { "external_id": "S1061", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S1061", "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign" ], "synonyms": [ "AbstractEmu" ] }, "related": [ { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "27d18e87-8f32-4be1-b456-39b90454360f", "type": "uses" }, { "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", "type": "uses" }, { "dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "type": "uses" }, { "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "type": "uses" }, { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "type": "uses" }, { "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "type": "uses" }, { "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" } ], "uuid": "2aec175b-4429-4048-8e09-3ef6cbecfc64", "value": "AbstractEmu - S1061" }, { "description": "[XAgentOSX](https://attack.mitre.org/software/S0161) is a trojan that has been used by [APT28](https://attack.mitre.org/groups/G0007) on OS X and appears to be a port of their standard [CHOPSTICK](https://attack.mitre.org/software/S0023) or XAgent trojan. (Citation: XAgentOSX 2017)", "meta": { "external_id": "S0161", "mitre_platforms": [ "macOS" ], "refs": [ "https://attack.mitre.org/software/S0161", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/", "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" ], "synonyms": [ "XAgentOSX", "OSX.Sofacy" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" } ], "uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", "value": "XAgentOSX - S0161" }, { "description": "[Clop](https://attack.mitre.org/software/S0611) is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. [Clop](https://attack.mitre.org/software/S0611) is a variant of the CryptoMix ransomware.(Citation: Mcafee Clop Aug 2019)(Citation: Cybereason Clop Dec 2020)(Citation: Unit42 Clop April 2021) ", "meta": { "external_id": "S0611", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0611", "https://unit42.paloaltonetworks.com/clop-ransomware/", "https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/" ], "synonyms": [ "Clop" ] }, "related": [ { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "cad3ba95-8c89-4146-ab10-08daa813f9de", "value": "Clop - S0611" }, { "description": "[NGLite](https://attack.mitre.org/software/S1106) is a backdoor Trojan that is only capable of running commands received through its C2 channel. While the capabilities are standard for a backdoor, NGLite uses a novel C2 channel that leverages a decentralized network based on the legitimate NKN to communicate between the backdoor and the actors.(Citation: NGLite Trojan)", "meta": { "external_id": "S1106", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1106", "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/" ], "synonyms": [ "NGLite" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "72b5f07f-5448-4e00-9ff2-08bc193a7b77", "value": "NGLite - S1106" }, { "description": "[MacMa](https://attack.mitre.org/software/S1016) is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. [MacMa](https://attack.mitre.org/software/S1016) has been observed in the wild since November 2021.(Citation: ESET DazzleSpy Jan 2022)", "meta": { "external_id": "S1016", "mitre_platforms": [ "macOS" ], "refs": [ "https://attack.mitre.org/software/S1016", "https://objective-see.org/blog/blog_0x69.html", "https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/" ], "synonyms": [ "MacMa", "OSX.CDDS", "DazzleSpy" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1eaebf46-e361-4437-bc23-d5d65a3b92e3", "type": "uses" }, { "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", "type": "uses" }, { "dest-uuid": "31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "bdee9574-7479-4073-a7dc-e86d8acd073a", "value": "MacMa - S1016" }, { "description": "[NKAbuse](https://attack.mitre.org/software/S1107) is a Go-based, multi-platform malware abusing NKN (New Kind of Network) technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities.(Citation: NKAbuse BC)(Citation: NKAbuse SL)", "meta": { "external_id": "S1107", "mitre_platforms": [ "Linux", "macOS", "Windows" ], "refs": [ "https://attack.mitre.org/software/S1107", "https://securelist.com/unveiling-nkabuse/111512/", "https://www.bleepingcomputer.com/news/security/new-nkabuse-malware-abuses-nkn-blockchain-for-stealthy-comms/#google_vignette" ], "synonyms": [ "NKAbuse" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" }, { "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab", "type": "uses" } ], "uuid": "bd2ebee8-7c38-408a-871d-221012104222", "value": "NKAbuse - S1107" }, { "description": "[Felismus](https://attack.mitre.org/software/S0171) is a modular backdoor that has been used by [Sowbug](https://attack.mitre.org/groups/G0054). (Citation: Symantec Sowbug Nov 2017) (Citation: Forcepoint Felismus Mar 2017)", "meta": { "external_id": "S0171", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0171", "https://blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware", "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" ], "synonyms": [ "Felismus" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "07a41ea7-17b2-4852-bfd7-54211c477dc0", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", "value": "Felismus - S0171" }, { "description": "[OutSteel](https://attack.mitre.org/software/S1017) is a file uploader and document stealer developed with the scripting language AutoIT that has been used by [Ember Bear](https://attack.mitre.org/groups/G1003) since at least March 2021.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "meta": { "external_id": "S1017", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1017", "https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "c113230f-f044-423b-af63-9b63c802f5ae", "value": "OutSteel - S1017" }, { "description": "[XTunnel](https://attack.mitre.org/software/S0117) a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by [APT28](https://attack.mitre.org/groups/G0007) during the compromise of the Democratic National Committee. (Citation: Crowdstrike DNC June 2016) (Citation: Invincea XTunnel) (Citation: ESET Sednit Part 2)", "meta": { "external_id": "S0117", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://attack.mitre.org/software/S0117", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/", "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" ], "synonyms": [ "XTunnel", "Trojan.Shunnael", "X-Tunnel", "XAPS" ] }, "related": [ { "dest-uuid": "53089817-6d65-4802-a7d2-5ccc3d919b74", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "6d180bd7-3c77-4faf-b98b-dc2ab5f49101", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" } ], "uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", "value": "XTunnel - S0117" }, { "description": "[BADHATCH](https://attack.mitre.org/software/S1081) is a backdoor that has been utilized by [FIN8](https://attack.mitre.org/groups/G0061) since at least 2019. [BADHATCH](https://attack.mitre.org/software/S1081) has been used to target the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Panama, and Italy.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021)", "meta": { "external_id": "S1081", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1081", "https://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/", "https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf" ], "synonyms": [ "BADHATCH" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "type": "uses" }, { "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "3553b49d-d4ae-4fb6-ab17-0adbc520c888", "value": "BADHATCH - S1081" }, { "description": "[FALLCHILL](https://attack.mitre.org/software/S0181) is a RAT that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other [Lazarus Group](https://attack.mitre.org/groups/G0032) malware or delivered when a victim unknowingly visits a compromised website. (Citation: US-CERT FALLCHILL Nov 2017)", "meta": { "external_id": "S0181", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0181", "https://www.us-cert.gov/ncas/alerts/TA17-318A" ], "synonyms": [ "FALLCHILL" ] }, "related": [ { "dest-uuid": "0a52e73b-d7e9-45ae-9bda-46568f753931", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e0bea149-2def-484f-b658-f782a4f94815", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", "value": "FALLCHILL - S0181" }, { "description": "[PULSECHECK](https://attack.mitre.org/software/S1108) is a web shell written in Perl that was used by [APT5](https://attack.mitre.org/groups/G1023) as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) companies.(Citation: Mandiant Pulse Secure Zero-Day April 2021)", "meta": { "external_id": "S1108", "mitre_platforms": [ "Network", "Linux" ], "refs": [ "https://attack.mitre.org/software/S1108", "https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day" ], "synonyms": [ "PULSECHECK" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "9a097d18-d15f-4635-a4f1-189df7efdc40", "value": "PULSECHECK - S1108" }, { "description": "[Nidiran](https://attack.mitre.org/software/S0118) is a custom backdoor developed and used by [Suckfly](https://attack.mitre.org/groups/G0039). It has been delivered via strategic web compromise. (Citation: Symantec Suckfly March 2016)", "meta": { "external_id": "S0118", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates", "https://attack.mitre.org/software/S0118" ], "synonyms": [ "Nidiran", "Backdoor.Nidiran" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", "value": "Nidiran - S0118" }, { "description": "[PACEMAKER](https://attack.mitre.org/software/S1109) is a credential stealer that was used by [APT5](https://attack.mitre.org/groups/G1023) as early as 2020 including activity against US Defense Industrial Base (DIB) companies.(Citation: Mandiant Pulse Secure Zero-Day April 2021)", "meta": { "external_id": "S1109", "mitre_platforms": [ "Network", "Linux" ], "refs": [ "https://attack.mitre.org/software/S1109", "https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day" ], "synonyms": [ "PACEMAKER" ] }, "related": [ { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "3120b9fa-23b8-4500-ae73-09494f607b7d", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "ea016b56-ae0e-47fe-967a-cc0ad51af67f", "type": "uses" } ], "uuid": "647215dd-29a6-4528-b354-ca8b5e08fca1", "value": "PACEMAKER - S1109" }, { "description": "[Shark](https://attack.mitre.org/software/S1019) is a backdoor malware written in C# and .NET that is an updated version of [Milan](https://attack.mitre.org/software/S1015); it has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least July 2021.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)", "meta": { "external_id": "S1019", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1019", "https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns", "https://www.clearskysec.com/siamesekitten/" ], "synonyms": [ "Shark" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "type": "uses" }, { "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" } ], "uuid": "99854cc8-f202-4e03-aa0a-4f8a4af93229", "value": "Shark - S1019" }, { "description": "[Concipit1248](https://attack.mitre.org/software/S0426) is iOS spyware that was discovered using the same name as the developer of the Android spyware [Corona Updates](https://attack.mitre.org/software/S0425). Further investigation revealed that the two pieces of software contained the same C2 URL and similar functionality.(Citation: TrendMicro Coronavirus Updates)", "meta": { "external_id": "S0426", "mitre_platforms": [ "iOS" ], "refs": [ "https://attack.mitre.org/software/S0426", "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/" ], "synonyms": [ "Concipit1248", "Corona Updates" ] }, "related": [ { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" } ], "uuid": "89c3dbf6-f281-41b7-be1d-a0e641014853", "value": "Concipit1248 - S0426" }, { "description": "[Industroyer2](https://attack.mitre.org/software/S1072) is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in [Industroyer](https://attack.mitre.org/software/S0604). Security researchers assess that [Industroyer2](https://attack.mitre.org/software/S1072) was designed to cause impact to high-voltage electrical substations. The initial [Industroyer2](https://attack.mitre.org/software/S1072) sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.(Citation: Industroyer2 Blackhat ESET)", "meta": { "external_id": "S1072", "mitre_platforms": [ "Field Controller/RTU/PLC/IED", "Engineering Workstation" ], "refs": [ "https://attack.mitre.org/software/S1072", "https://www.youtube.com/watch?v=xC9iM5wVedQ" ], "synonyms": [ "Industroyer2" ] }, "related": [ { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" } ], "uuid": "6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", "value": "Industroyer2 - S1072" }, { "description": "[CORALDECK](https://attack.mitre.org/software/S0212) is an exfiltration tool used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)", "meta": { "external_id": "S0212", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0212", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" ], "synonyms": [ "CORALDECK" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "becf81e5-f989-4093-a67d-d55a0483885f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" } ], "uuid": "8ab98e25-1672-4b5f-a2fb-e60f08a5ea9e", "value": "CORALDECK - S0212" }, { "description": "[IceApple](https://attack.mitre.org/software/S1022) is a modular Internet Information Services (IIS) post-exploitation framework, that has been used since at least 2021 against the technology, academic, and government sectors.(Citation: CrowdStrike IceApple May 2022)", "meta": { "external_id": "S1022", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1022", "https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework.pdf" ], "synonyms": [ "IceApple" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", "type": "uses" }, { "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "dd889a55-fb2c-4ec7-8e9f-c399939a49e1", "value": "IceApple - S1022" }, { "description": "A Linux rootkit that provides backdoor access and hides from defenders.", "meta": { "external_id": "S0221", "mitre_platforms": [ "Linux" ], "refs": [ "https://attack.mitre.org/software/S0221", "https://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/?_ga=2.180041126.367598458.1505420282-1759340220.1502477046" ], "synonyms": [ "Umbreon" ] }, "related": [ { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "2a18f5dd-40fc-444b-a7c6-85f94b3eee13", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", "type": "uses" }, { "dest-uuid": "637000f7-4363-44e0-b795-9cfb7a3dc460", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "type": "uses" } ], "uuid": "3d8e547d-9456-4f32-a895-dc86134e282f", "value": "Umbreon - S0221" }, { "description": "[ccf32](https://attack.mitre.org/software/S1043) is data collection malware that has been used since at least February 2019, most notably during the [FunnyDream](https://attack.mitre.org/campaigns/C0007) campaign; there is also a similar x64 version.(Citation: Bitdefender FunnyDream Campaign November 2020)", "meta": { "external_id": "S1043", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1043", "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" ], "synonyms": [ "ccf32" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "359b00ad-9425-420b-bba5-6de8d600cbc0", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" } ], "uuid": "a394448a-4576-41b8-81cc-9b61abad94ab", "value": "ccf32 - S1043" }, { "description": "[DOGCALL](https://attack.mitre.org/software/S0213) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067) that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. (Citation: FireEye APT37 Feb 2018)", "meta": { "external_id": "S0213", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0213", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" ], "synonyms": [ "DOGCALL" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "a5e851b4-e046-43b6-bc6e-c6c008e3c5aa", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "0852567d-7958-4f4b-8947-4f840ec8d57d", "value": "DOGCALL - S0213" }, { "description": "[PyDCrypt](https://attack.mitre.org/software/S1032) is malware written in Python designed to deliver [DCSrv](https://attack.mitre.org/software/S1033). It has been used by [Moses Staff](https://attack.mitre.org/groups/G1009) since at least September 2021, with each sample tailored for its intended victim organization.(Citation: Checkpoint MosesStaff Nov 2021)", "meta": { "external_id": "S1032", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1032", "https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/" ], "synonyms": [ "PyDCrypt" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" } ], "uuid": "2ac41e8b-4865-4ced-839d-78e7852c47f3", "value": "PyDCrypt - S1032" }, { "description": "[CreepyDrive](https://attack.mitre.org/software/S1023) is a custom implant has been used by [POLONIUM](https://attack.mitre.org/groups/G1005) since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.(Citation: Microsoft POLONIUM June 2022)\n\n[POLONIUM](https://attack.mitre.org/groups/G1005) has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.(Citation: Microsoft POLONIUM June 2022)", "meta": { "external_id": "S1023", "mitre_platforms": [ "Windows", "Office 365" ], "refs": [ "https://attack.mitre.org/software/S1023", "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/" ], "synonyms": [ "CreepyDrive" ] }, "related": [ { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", "type": "uses" } ], "uuid": "750eb92a-7fdf-451e-9592-1d42357018f1", "value": "CreepyDrive - S1023" }, { "description": "[HummingWhale](https://attack.mitre.org/software/S0321) is an Android malware family that performs ad fraud. (Citation: ArsTechnica-HummingWhale)", "meta": { "external_id": "S0321", "refs": [ "http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/", "https://attack.mitre.org/software/S0321" ] }, "related": [ { "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "type": "uses" } ], "uuid": "6447e3a1-ef4d-44b1-99d5-6b1c4888674f", "value": "HummingWhale - S0321" }, { "description": "[WireLurker](https://attack.mitre.org/software/S0312) is a family of macOS malware that targets iOS devices connected over USB. (Citation: PaloAlto-WireLurker)", "meta": { "external_id": "S0312", "refs": [ "https://attack.mitre.org/software/S0312", "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" ] }, "related": [ { "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", "type": "uses" }, { "dest-uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" } ], "uuid": "326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", "value": "WireLurker - S0312" }, { "description": "[RATANKBA](https://attack.mitre.org/software/S0241) is a remote controller tool used by [Lazarus Group](https://attack.mitre.org/groups/G0032). [RATANKBA](https://attack.mitre.org/software/S0241) has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. [RATANKBA](https://attack.mitre.org/software/S0241) has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. (Citation: Lazarus RATANKBA) (Citation: RATANKBA)", "meta": { "external_id": "S0241", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0241", "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/", "https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" ], "synonyms": [ "RATANKBA" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "value": "RATANKBA - S0241" }, { "description": "[SUGARDUMP](https://attack.mitre.org/software/S1042) is a proprietary browser credential harvesting tool that was used by UNC3890 during the [C0010](https://attack.mitre.org/campaigns/C0010) campaign. The first known [SUGARDUMP](https://attack.mitre.org/software/S1042) version was used since at least early 2021, a second SMTP C2 version was used from late 2021-early 2022, and a third HTTP C2 variant was used since at least April 2022.(Citation: Mandiant UNC3890 Aug 2022)", "meta": { "external_id": "S1042", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1042", "https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping" ], "synonyms": [ "SUGARDUMP" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" } ], "uuid": "9c10cede-c0bb-4c5c-91c0-8baec30abaf6", "value": "SUGARDUMP - S1042" }, { "description": "[HAPPYWORK](https://attack.mitre.org/software/S0214) is a downloader used by [APT37](https://attack.mitre.org/groups/G0067) to target South Korean government and financial victims in November 2016. (Citation: FireEye APT37 Feb 2018)", "meta": { "external_id": "S0214", "refs": [ "https://attack.mitre.org/software/S0214", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "656cd201-d57a-4a2f-a201-531eb4922a72", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "211cfe9f-2676-4e1c-a5f5-2c8091da2a68", "value": "HAPPYWORK - S0214" }, { "description": "[CreepySnail](https://attack.mitre.org/software/S1024) is a custom PowerShell implant that has been used by [POLONIUM](https://attack.mitre.org/groups/G1005) since at least 2022.(Citation: Microsoft POLONIUM June 2022)", "meta": { "external_id": "S1024", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1024", "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/" ], "synonyms": [ "CreepySnail" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "d23de441-f9cf-4802-b1ff-f588a11a896b", "value": "CreepySnail - S1024" }, { "description": "[StreamEx](https://attack.mitre.org/software/S0142) is a malware family that has been used by [Deep Panda](https://attack.mitre.org/groups/G0009) since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. (Citation: Cylance Shell Crew Feb 2017)", "meta": { "external_id": "S0142", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0142", "https://www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" ], "synonyms": [ "StreamEx" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9991ace8-1a62-498c-a9ef-19d474deb505", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" } ], "uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", "value": "StreamEx - S0142" }, { "description": "[GolfSpy](https://attack.mitre.org/software/S0421) is Android spyware deployed by the group [Bouncing Golf](https://attack.mitre.org/groups/G0097).(Citation: Trend Micro Bouncing Golf 2019)", "meta": { "external_id": "S0421", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0421", "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" ], "synonyms": [ "GolfSpy" ] }, "related": [ { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "type": "uses" }, { "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "type": "uses" }, { "dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec", "type": "uses" } ], "uuid": "c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "value": "GolfSpy - S0421" }, { "description": "[Pisloader](https://attack.mitre.org/software/S0124) is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by [APT18](https://attack.mitre.org/groups/G0026) and is similar to another malware family, [HTTPBrowser](https://attack.mitre.org/software/S0070), that has been used by the group. (Citation: Palo Alto DNS Requests)", "meta": { "external_id": "S0124", "mitre_platforms": [ "Windows" ], "refs": [ "http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/", "https://attack.mitre.org/software/S0124" ], "synonyms": [ "Pisloader" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", "value": "Pisloader - S0124" }, { "description": "[ZxShell](https://attack.mitre.org/software/S0412) is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014)", "meta": { "external_id": "S0412", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0412", "https://blogs.cisco.com/security/talos/opening-zxshell", "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" ], "synonyms": [ "ZxShell", "Sensocode" ] }, "related": [ { "dest-uuid": "01327cde-66c4-4123-bf34-5f258d59457b", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", "type": "uses" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "c675646d-e204-4aa8-978d-e3d6d65885c4", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", "type": "uses" } ], "uuid": "cfc75b0d-e579-40ae-ad07-a1ce00d49a6c", "value": "ZxShell - S0412" }, { "description": "[KARAE](https://attack.mitre.org/software/S0215) is a backdoor typically used by [APT37](https://attack.mitre.org/groups/G0067) as first-stage malware. (Citation: FireEye APT37 Feb 2018)", "meta": { "external_id": "S0215", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0215", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" ], "synonyms": [ "KARAE" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "70ca8408-bc45-4d39-acd2-9190ba15ea97", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "3c02fb1f-cbdb-48f5-abaf-8c81d6e0c322", "value": "KARAE - S0215" }, { "description": "[DEADEYE](https://attack.mitre.org/software/S1052) is a malware launcher that has been used by [APT41](https://attack.mitre.org/groups/G0096) since at least May 2021. [DEADEYE](https://attack.mitre.org/software/S1052) has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).(Citation: Mandiant APT41)", "meta": { "external_id": "S1052", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1052", "https://www.mandiant.com/resources/apt41-us-state-governments" ], "synonyms": [ "DEADEYE", "DEADEYE.EMBED", "DEADEYE.APPEND" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "type": "uses" }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "type": "uses" } ], "uuid": "c46eb8e6-bf29-4696-8008-3ddb0b4ca470", "value": "DEADEYE - S1052" }, { "description": "[Amadey](https://attack.mitre.org/software/S1025) is a Trojan bot that has been used since at least October 2018.(Citation: Korean FSI TA505 2020)(Citation: BlackBerry Amadey 2020)", "meta": { "external_id": "S1025", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1025", "https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot", "https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=" ], "synonyms": [ "Amadey" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "29ba5a15-3b7b-4732-b817-65ea8f6468e6", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "05318127-5962-444b-b900-a9dcfe0ff6e9", "value": "Amadey - S1025" }, { "description": "[FatDuke](https://attack.mitre.org/software/S0512) is a backdoor used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2016.(Citation: ESET Dukes October 2019)", "meta": { "external_id": "S0512", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0512", "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" ], "synonyms": [ "FatDuke" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" } ], "uuid": "54a01db0-9fab-4d5f-8209-53cef8425f4a", "value": "FatDuke - S0512" }, { "description": "[EvilGrab](https://attack.mitre.org/software/S0152) is a malware family with common reconnaissance capabilities. It has been deployed by [menuPass](https://attack.mitre.org/groups/G0045) via malicious Microsoft Office documents as part of spearphishing campaigns. (Citation: PWC Cloud Hopper Technical Annex April 2017)", "meta": { "external_id": "S0152", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0152", "https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" ], "synonyms": [ "EvilGrab" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "438c6d0f-03f0-4b49-89d2-40bf5349c3fc", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c9b4ec27-0a43-4671-a967-bcac5df0e056", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", "value": "EvilGrab - S0152" }, { "description": "[Remsec](https://attack.mitre.org/software/S0125) is a modular backdoor that has been used by [Strider](https://attack.mitre.org/groups/G0041) and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua. (Citation: Symantec Strider Blog)", "meta": { "external_id": "S0125", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets", "https://attack.mitre.org/software/S0125", "https://securelist.com/faq-the-projectsauron-apt/75533/" ], "synonyms": [ "Remsec", "Backdoor.Remsec", "ProjectSauron" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "215d9700-5881-48b8-8265-6449dbb7195d", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "type": "uses" }, { "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "type": "uses" }, { "dest-uuid": "6a3c3fbc-97ec-4938-b64e-2679e4b73db9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" } ], "uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "value": "Remsec - S0125" }, { "description": "[Zebrocy](https://attack.mitre.org/software/S0251) is a Trojan that has been used by [APT28](https://attack.mitre.org/groups/G0007) since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, VB.NET, and Golang. (Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: CISA Zebrocy Oct 2020) ", "meta": { "external_id": "S0251", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0251", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", "https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/", "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b", "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50", "https://www.cyberscoop.com/apt28-brexit-phishing-accenture/" ], "synonyms": [ "Zebrocy", "Zekapab" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", "type": "uses" } ], "uuid": "a4f57468-fbd5-49e4-8476-52088220b92d", "value": "Zebrocy - S0251" }, { "description": "[ComRAT](https://attack.mitre.org/software/S0126) is a second stage implant suspected of being a descendant of [Agent.btz](https://attack.mitre.org/software/S0092) and used by [Turla](https://attack.mitre.org/groups/G0010). The first version of [ComRAT](https://attack.mitre.org/software/S0126) was identified in 2007, but the tool has undergone substantial development for many years since.(Citation: Symantec Waterbug)(Citation: NorthSec 2015 GData Uroburos Tools)(Citation: ESET ComRAT May 2020)", "meta": { "external_id": "S0126", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0126", "https://docplayer.net/101655589-Tools-used-by-the-uroburos-actors.html", "https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1", "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" ], "synonyms": [ "ComRAT" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "type": "uses" }, { "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "9223bf17-7e32-4833-9574-9ffd8c929765", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "da079741-05e6-458c-b434-011263dc691c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfebc3b7-d19d-450b-81c7-6dafe4184c04", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565", "value": "ComRAT - S0126" }, { "description": "[POORAIM](https://attack.mitre.org/software/S0216) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067) in campaigns since at least 2014. (Citation: FireEye APT37 Feb 2018)", "meta": { "external_id": "S0216", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0216", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" ], "synonyms": [ "POORAIM" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "fe97ace3-9a80-42af-9eae-1f9245927e5d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "53d47b09-09c2-4015-8d37-6633ecd53f79", "value": "POORAIM - S0216" }, { "description": "[Catchamas](https://attack.mitre.org/software/S0261) is a Windows Trojan that steals information from compromised systems. (Citation: Symantec Catchamas April 2018)", "meta": { "external_id": "S0261", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0261", "https://www-west.symantec.com/content/symantec/english/en/security-center/writeup.html/2018-040209-1742-99" ], "synonyms": [ "Catchamas" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" } ], "uuid": "8d9e758b-735f-4cbc-ba7c-32cd15138b2a", "value": "Catchamas - S0261" }, { "description": "[Komplex](https://attack.mitre.org/software/S0162) is a backdoor that has been used by [APT28](https://attack.mitre.org/groups/G0007) on OS X and appears to be developed in a similar manner to [XAgentOSX](https://attack.mitre.org/software/S0161) (Citation: XAgentOSX 2017) (Citation: Sofacy Komplex Trojan).", "meta": { "external_id": "S0162", "mitre_platforms": [ "macOS" ], "refs": [ "https://attack.mitre.org/software/S0162", "https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" ], "synonyms": [ "Komplex" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "type": "uses" }, { "dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" } ], "uuid": "f108215f-3487-489d-be8b-80e346d32518", "value": "Komplex - S0162" }, { "description": "[WastedLocker](https://attack.mitre.org/software/S0612) is a ransomware family attributed to [Indrik Spider](https://attack.mitre.org/groups/G0119) that has been used since at least May 2020. [WastedLocker](https://attack.mitre.org/software/S0612) has been used against a broad variety of sectors, including manufacturing, information technology, and media.(Citation: Symantec WastedLocker June 2020)(Citation: NCC Group WastedLocker June 2020)(Citation: Sentinel Labs WastedLocker July 2020) ", "meta": { "external_id": "S0612", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0612", "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us", "https://www.sentinelone.com/labs/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/" ], "synonyms": [ "WastedLocker" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "46cbafbc-8907-42d3-9002-5327c26f8927", "value": "WastedLocker - S0612" }, { "description": "[Mongall](https://attack.mitre.org/software/S1026) is a backdoor that has been used since at least 2013, including by [Aoqin Dragon](https://attack.mitre.org/groups/G1007).(Citation: SentinelOne Aoqin Dragon June 2022)", "meta": { "external_id": "S1026", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1026", "https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" ], "synonyms": [ "Mongall" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "6fb36c6f-bb3d-4ed6-9471-cb9933e5c154", "value": "Mongall - S1026" }, { "description": "[BBSRAT](https://attack.mitre.org/software/S0127) is malware with remote access tool functionality that has been used in targeted compromises. (Citation: Palo Alto Networks BBSRAT)", "meta": { "external_id": "S0127", "mitre_platforms": [ "Windows" ], "refs": [ "http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/", "https://attack.mitre.org/software/S0127" ], "synonyms": [ "BBSRAT" ] }, "related": [ { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", "type": "uses" }, { "dest-uuid": "cad1d6db-3a6c-4d67-8f6e-627d8a168d6a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" } ], "uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", "value": "BBSRAT - S0127" }, { "description": "[KEYMARBLE](https://attack.mitre.org/software/S0271) is a Trojan that has reportedly been used by the North Korean government. (Citation: US-CERT KEYMARBLE Aug 2018)", "meta": { "external_id": "S0271", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0271", "https://www.us-cert.gov/ncas/analysis-reports/AR18-221A" ], "synonyms": [ "KEYMARBLE" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", "value": "KEYMARBLE - S0271" }, { "description": "[SHUTTERSPEED](https://attack.mitre.org/software/S0217) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)", "meta": { "external_id": "S0217", "refs": [ "https://attack.mitre.org/software/S0217", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "d909efe3-abc3-4be0-9640-e4727542fa2b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "4189a679-72ed-4a89-a57c-7f689712ecf8", "value": "SHUTTERSPEED - S0217" }, { "description": "[Reaver](https://attack.mitre.org/software/S0172) is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the \"Five Poisons,\" which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of [Control Panel](https://attack.mitre.org/techniques/T1218/002) items.(Citation: Palo Alto Reaver Nov 2017)", "meta": { "external_id": "S0172", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0172", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" ], "synonyms": [ "Reaver" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "826c31ca-2617-47e4-b236-205da3881182", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", "value": "Reaver - S0172" }, { "description": "[BADNEWS](https://attack.mitre.org/software/S0128) is malware that has been used by the actors responsible for the [Patchwork](https://attack.mitre.org/groups/G0040) campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. (Citation: Forcepoint Monsoon) (Citation: TrendMicro Patchwork Dec 2017)", "meta": { "external_id": "S0128", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0128", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" ], "synonyms": [ "BADNEWS" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" } ], "uuid": "e9595678-d269-469e-ae6b-75e49259de63", "value": "BADNEWS - S0128" }, { "description": "[SLOWDRIFT](https://attack.mitre.org/software/S0218) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067) against academic and strategic victims in South Korea. (Citation: FireEye APT37 Feb 2018)", "meta": { "external_id": "S0218", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0218", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" ], "synonyms": [ "SLOWDRIFT" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "e5a9a2ec-348e-4a2f-98dd-16c3e8845576", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "414dc555-c79e-4b24-a2da-9b607f7eaf16", "value": "SLOWDRIFT - S0218" }, { "description": "[Dok](https://attack.mitre.org/software/S0281) is a Trojan application disguised as a .zip file that is able to collect user credentials and install a malicious proxy server to redirect a user's network traffic (i.e. [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)).(Citation: objsee mac malware 2017)(Citation: hexed osx.dok analysis 2019)(Citation: CheckPoint Dok)", "meta": { "external_id": "S0281", "mitre_platforms": [ "macOS" ], "refs": [ "http://www.hexed.in/2019/07/osxdok-analysis.html", "https://attack.mitre.org/software/S0281", "https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/", "https://objective-see.com/blog/blog_0x25.html" ], "synonyms": [ "Dok", "Retefe" ] }, "related": [ { "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", "type": "uses" }, { "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", "type": "uses" }, { "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", "type": "uses" }, { "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", "type": "uses" }, { "dest-uuid": "84601337-6a55-4ad7-9c35-79e0d1ea2ab3", "type": "uses" }, { "dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d", "type": "uses" }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, { "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", "type": "uses" }, { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" } ], "uuid": "f36b2598-515f-4345-84e5-5ccde253edbe", "value": "Dok - S0281" }, { "description": "[FinFisher](https://attack.mitre.org/software/S0182) is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including [Wingbird](https://attack.mitre.org/software/S0176). (Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017) (Citation: Microsoft FinFisher March 2018)", "meta": { "external_id": "S0182", "mitre_platforms": [ "Windows", "Android" ], "refs": [ "http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf", "http://www.finfisher.com/FinFisher/index.html", "https://attack.mitre.org/software/S0182", "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/", "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html" ], "synonyms": [ "FinFisher", "FinSpy" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "541b64bc-87ec-4cc2-aaee-329355987853", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a4657bc9-d22f-47d2-a7b7-dd6ec33f3dde", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", "type": "uses" } ], "uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", "value": "FinFisher - S0182" }, { "description": "[Sunbird](https://attack.mitre.org/software/S1082) is one of two mobile malware families known to be used by the APT [Confucius](https://attack.mitre.org/groups/G0142). Analysis suggests that [Sunbird](https://attack.mitre.org/software/S1082) was first active in early 2017. While [Sunbird](https://attack.mitre.org/software/S1082) and [Hornbill](https://attack.mitre.org/software/S1077) overlap in core capabilities, [Sunbird](https://attack.mitre.org/software/S1082) has a more extensive set of malicious features.(Citation: lookout_hornbill_sunbird_0221)", "meta": { "external_id": "S1082", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S1082", "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" ], "synonyms": [ "Sunbird" ] }, "related": [ { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "type": "uses" }, { "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc", "type": "uses" }, { "dest-uuid": "a9fa0d30-a8ff-45bf-922e-7720da0b7922", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec", "type": "uses" } ], "uuid": "feae299d-e34f-4fc9-8545-486d0905bd41", "value": "Sunbird - S1082" }, { "description": "[WINERACK](https://attack.mitre.org/software/S0219) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)", "meta": { "external_id": "S0219", "refs": [ "https://attack.mitre.org/software/S0219", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "49025073-4cd3-43b8-b893-e80a1d3adc04", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" } ], "uuid": "49abab73-3c5c-476e-afd5-69b5c732d845", "value": "WINERACK - S0219" }, { "description": "[PJApps](https://attack.mitre.org/software/S0291) is an Android malware family. (Citation: Lookout-EnterpriseApps)", "meta": { "external_id": "S0291", "refs": [ "https://attack.mitre.org/software/S0291", "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/" ] }, "related": [ { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" } ], "uuid": "c709da93-20c3-4d17-ab68-48cba76b2137", "value": "PJApps - S0291" }, { "description": "[Escobar](https://attack.mitre.org/software/S1092) is an Android banking trojan, first detected in March 2021, believed to be a new variant of AbereBot.(Citation: Bleeipng Computer Escobar)", "meta": { "external_id": "S1092", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S1092", "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/" ], "synonyms": [ "Escobar" ] }, "related": [ { "dest-uuid": "0b761f2b-197a-40f2-b100-8152cb957c0c", "type": "uses" }, { "dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "type": "uses" }, { "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" } ], "uuid": "ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "value": "Escobar - S1092" }, { "description": "[DCSrv](https://attack.mitre.org/software/S1033) is destructive malware that has been used by [Moses Staff](https://attack.mitre.org/groups/G1009) since at least September 2021. Though [DCSrv](https://attack.mitre.org/software/S1033) has ransomware-like capabilities, [Moses Staff](https://attack.mitre.org/groups/G1009) does not demand ransom or offer a decryption key.(Citation: Checkpoint MosesStaff Nov 2021)", "meta": { "external_id": "S1033", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1033", "https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/" ], "synonyms": [ "DCSrv" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "type": "uses" } ], "uuid": "5633ffd3-81ef-4f98-8f93-4896b03998f0", "value": "DCSrv - S1033" }, { "description": "[RuMMS](https://attack.mitre.org/software/S0313) is an Android malware family. (Citation: FireEye-RuMMS)", "meta": { "external_id": "S0313", "refs": [ "https://attack.mitre.org/software/S0313", "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html" ] }, "related": [ { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" } ], "uuid": "936be60d-90eb-4c36-9247-4b31128432c4", "value": "RuMMS - S0313" }, { "description": "[HotCroissant](https://attack.mitre.org/software/S0431) is a remote access trojan (RAT) attributed by U.S. government entities to malicious North Korean government cyber activity, tracked collectively as HIDDEN COBRA.(Citation: US-CERT HOTCROISSANT February 2020) [HotCroissant](https://attack.mitre.org/software/S0431) shares numerous code similarities with [Rifdoor](https://attack.mitre.org/software/S0433).(Citation: Carbon Black HotCroissant April 2020)", "meta": { "external_id": "S0431", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0431", "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/", "https://www.us-cert.gov/ncas/analysis-reports/ar20-045d" ], "synonyms": [ "HotCroissant" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "aad11e34-02ca-4220-91cd-2ed420af4db3", "value": "HotCroissant - S0431" }, { "description": "[Downdelph](https://attack.mitre.org/software/S0134) is a first-stage downloader written in Delphi that has been used by [APT28](https://attack.mitre.org/groups/G0007) in rare instances between 2013 and 2015. (Citation: ESET Sednit Part 3)", "meta": { "external_id": "S0134", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf", "https://attack.mitre.org/software/S0134" ], "synonyms": [ "Downdelph", "Delphacy" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "837a295c-15ff-41c0-9b7e-5f2fb502b00a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "e6a077cb-42cc-4193-9006-9ceda8c0dff2", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade", "type": "uses" } ], "uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", "value": "Downdelph - S0134" }, { "description": "[Flame](https://attack.mitre.org/software/S0143) is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. (Citation: Kaspersky Flame)", "meta": { "external_id": "S0143", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0143", "https://securelist.com/the-flame-questions-and-answers-51/34344/", "https://www.crysys.hu/publications/files/skywiper.pdf", "https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache" ], "synonyms": [ "Flame", "Flamer", "sKyWIper" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "613d08bc-e8f4-4791-80b0-c8b974340dfd", "type": "uses" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "type": "uses" }, { "dest-uuid": "b8cfed42-6a8a-4989-ad72-541af74475ec", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d7963066-62ed-4494-9b8c-4b8b691a7c82", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", "value": "Flame - S0143" }, { "description": "[StrifeWater](https://attack.mitre.org/software/S1034) is a remote-access tool that has been used by [Moses Staff](https://attack.mitre.org/groups/G1009) in the initial stages of their attacks since at least November 2021.(Citation: Cybereason StrifeWater Feb 2022)", "meta": { "external_id": "S1034", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1034", "https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations" ], "synonyms": [ "StrifeWater" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "fb78294a-7d7a-4d38-8ad0-92e67fddc9f0", "value": "StrifeWater - S1034" }, { "description": "[Xbash](https://attack.mitre.org/software/S0341) is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. [Xbash](https://attack.mitre.org/software/S0341) was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.(Citation: Unit42 Xbash Sept 2018)", "meta": { "external_id": "S0341", "mitre_platforms": [ "Windows", "Linux" ], "refs": [ "https://attack.mitre.org/software/S0341", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/" ], "synonyms": [ "Xbash" ] }, "related": [ { "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" } ], "uuid": "6a92d80f-cc65-45f6-aa66-3cdea6786b3c", "value": "Xbash - S0341" }, { "description": "[Final1stspy](https://attack.mitre.org/software/S0355) is a dropper family that has been used to deliver [DOGCALL](https://attack.mitre.org/software/S0213).(Citation: Unit 42 Nokki Oct 2018)", "meta": { "external_id": "S0355", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0355", "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" ], "synonyms": [ "Final1stspy" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "a2282af0-f9dd-4373-9b92-eaf9e11e0c71", "value": "Final1stspy - S0355" }, { "description": "[AvosLocker](https://attack.mitre.org/software/S1053) is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, [AvosLocker](https://attack.mitre.org/software/S1053) had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.(Citation: Malwarebytes AvosLocker Jul 2021)(Citation: Trend Micro AvosLocker Apr 2022)(Citation: Joint CSA AvosLocker Mar 2022)", "meta": { "external_id": "S1053", "mitre_platforms": [ "Linux", "Windows" ], "refs": [ "https://attack.mitre.org/software/S1053", "https://www.ic3.gov/Media/News/2022/220318.pdf", "https://www.malwarebytes.com/blog/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker" ], "synonyms": [ "AvosLocker" ] }, "related": [ { "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "28170e17-8384-415c-8486-2e6b294cb803", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "ea4c2f9c-9df1-477c-8c42-6da1118f2ac4", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "type": "uses" } ], "uuid": "0945a1a5-a79a-47c8-9079-10c16cdfcb5d", "value": "AvosLocker - S1053" }, { "description": "[Cannon](https://attack.mitre.org/software/S0351) is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. (Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)", "meta": { "external_id": "S0351", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0351", "https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/", "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" ], "synonyms": [ "Cannon" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "type": "uses" }, { "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "d20b397a-ea47-48a9-b503-2e2a3551e11d", "value": "Cannon - S0351" }, { "description": "[HIDEDRV](https://attack.mitre.org/software/S0135) is a rootkit used by [APT28](https://attack.mitre.org/groups/G0007). It has been deployed along with [Downdelph](https://attack.mitre.org/software/S0134) to execute and hide that malware. (Citation: ESET Sednit Part 3) (Citation: Sekoia HideDRV Oct 2016)", "meta": { "external_id": "S0135", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf", "https://attack.mitre.org/software/S0135" ], "synonyms": [ "HIDEDRV" ] }, "related": [ { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4", "value": "HIDEDRV - S0135" }, { "description": "[LiteDuke](https://attack.mitre.org/software/S0513) is a third stage backdoor that was used by [APT29](https://attack.mitre.org/groups/G0016), primarily in 2014-2015. [LiteDuke](https://attack.mitre.org/software/S0513) used the same dropper as [PolyglotDuke](https://attack.mitre.org/software/S0518), and was found on machines also compromised by [MiniDuke](https://attack.mitre.org/software/S0051).(Citation: ESET Dukes October 2019)", "meta": { "external_id": "S0513", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0513", "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" ], "synonyms": [ "LiteDuke" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "95e2cbae-d82c-4f7b-b63c-16462015d35d", "value": "LiteDuke - S0513" }, { "description": "[DualToy](https://attack.mitre.org/software/S0315) is Windows malware that installs malicious applications onto Android and iOS devices connected over USB. (Citation: PaloAlto-DualToy)", "meta": { "external_id": "S0315", "refs": [ "https://attack.mitre.org/software/S0315", "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" ] }, "related": [ { "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", "type": "uses" }, { "dest-uuid": "8269e779-db23-4c94-aafb-36ee94879417", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" } ], "uuid": "507fe748-5e4a-4b45-9e9f-8b1115f4e878", "value": "DualToy - S0315" }, { "description": "[Grandoreiro](https://attack.mitre.org/software/S0531) is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. [Grandoreiro](https://attack.mitre.org/software/S0531) has confirmed victims in Brazil, Mexico, Portugal, and Spain.(Citation: Securelist Brazilian Banking Malware July 2020)(Citation: ESET Grandoreiro April 2020)", "meta": { "external_id": "S0531", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0531", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" ], "synonyms": [ "Grandoreiro" ] }, "related": [ { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", "type": "uses" }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, { "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "4bc31b94-045b-4752-8920-aebaebdb6470", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" } ], "uuid": "958b5d06-8bb0-4c5b-a2e7-0130fe654ac7", "value": "Grandoreiro - S0531" }, { "description": "[RedLeaves](https://attack.mitre.org/software/S0153) is a malware family used by [menuPass](https://attack.mitre.org/groups/G0045). The code overlaps with [PlugX](https://attack.mitre.org/software/S0013) and may be based upon the open source tool Trochilus. (Citation: PWC Cloud Hopper Technical Annex April 2017) (Citation: FireEye APT10 April 2017)", "meta": { "external_id": "S0153", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0153", "https://twitter.com/ItsReallyNick/status/850105140589633536", "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", "https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" ], "synonyms": [ "RedLeaves", "BUGJUICE" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "90124cc8-1205-4e63-83ad-5c45a110b1e6", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a70e93a7-3578-47e1-9926-0818979ed866", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "ad6a1b4a-6d79-40d4-adb7-1d7ca697347e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "value": "RedLeaves - S0153" }, { "description": "[Snip3](https://attack.mitre.org/software/S1086) is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including [AsyncRAT](https://attack.mitre.org/software/S1087), [Revenge RAT](https://attack.mitre.org/software/S0379), [Agent Tesla](https://attack.mitre.org/software/S0331), and [NETWIRE](https://attack.mitre.org/software/S0198).(Citation: Morphisec Snip3 May 2021)(Citation: Telefonica Snip3 December 2021)", "meta": { "external_id": "S1086", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1086", "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader", "https://telefonicatech.com/blog/snip3-investigacion-malware" ], "synonyms": [ "Snip3" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "4327aff5-f194-440c-b499-4d9730cc1eab", "value": "Snip3 - S1086" }, { "description": "[USBStealer](https://attack.mitre.org/software/S0136) is malware that has been used by [APT28](https://attack.mitre.org/groups/G0007) since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with [ADVSTORESHELL](https://attack.mitre.org/software/S0045). (Citation: ESET Sednit USBStealer 2014) (Citation: Kaspersky Sofacy)", "meta": { "external_id": "S0136", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/", "https://attack.mitre.org/software/S0136", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" ], "synonyms": [ "USBStealer", "USB Stealer", "Win32/USBStealer" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "44909efb-7cd3-42e3-b225-9f3e96b5f362", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", "type": "uses" }, { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" } ], "uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "value": "USBStealer - S0136" }, { "description": "[Chaes](https://attack.mitre.org/software/S0631) is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. [Chaes](https://attack.mitre.org/software/S0631) was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.(Citation: Cybereason Chaes Nov 2020)", "meta": { "external_id": "S0631", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0631", "https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf" ], "synonyms": [ "Chaes" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2cd950a6-16c4-404a-aa01-044322395107", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "type": "uses" }, { "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", "type": "uses" }, { "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "77e0ecf7-ca91-4c06-8012-8e728986a87a", "value": "Chaes - S0631" }, { "description": "[Janicab](https://attack.mitre.org/software/S0163) is an OS X trojan that relied on a valid developer ID and oblivious users to install it. (Citation: Janicab)", "meta": { "external_id": "S0163", "mitre_platforms": [ "macOS" ], "refs": [ "http://www.thesafemac.com/new-signed-malware-called-janicab/", "https://attack.mitre.org/software/S0163" ], "synonyms": [ "Janicab" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "c3c20c4b-e12a-42e5-960a-eea4644014f4", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "234e7770-99b0-4f65-b983-d3230f76a60b", "value": "Janicab - S0163" }, { "description": "[STARWHALE](https://attack.mitre.org/software/S1037) is Windows Script File (WSF) backdoor that has been used by [MuddyWater](https://attack.mitre.org/groups/G0069), possibly since at least November 2021; there is also a [STARWHALE](https://attack.mitre.org/software/S1037) variant written in Golang with similar capabilities. Security researchers have also noted the use of [STARWHALE](https://attack.mitre.org/software/S1037) by UNC3313, which may be associated with [MuddyWater](https://attack.mitre.org/groups/G0069).(Citation: Mandiant UNC3313 Feb 2022)(Citation: DHS CISA AA22-055A MuddyWater February 2022)", "meta": { "external_id": "S1037", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1037", "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage" ], "synonyms": [ "STARWHALE", "CANOPY" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" } ], "uuid": "e355fc84-6f3c-4888-8e0a-d7fa9c378532", "value": "STARWHALE - S1037" }, { "description": "[CORESHELL](https://attack.mitre.org/software/S0137) is a downloader used by [APT28](https://attack.mitre.org/groups/G0007). The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.(Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)", "meta": { "external_id": "S0137", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0137", "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" ], "synonyms": [ "CORESHELL", "Sofacy", "SOURFACE" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", "value": "CORESHELL - S0137" }, { "description": "[FLIPSIDE](https://attack.mitre.org/software/S0173) is a simple tool similar to Plink that is used by [FIN5](https://attack.mitre.org/groups/G0053) to maintain access to victims. (Citation: Mandiant FIN5 GrrCON Oct 2016)", "meta": { "external_id": "S0173", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0173", "https://www.youtube.com/watch?v=fevGZs0EQu8" ], "synonyms": [ "FLIPSIDE" ] }, "related": [ { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "type": "uses" } ], "uuid": "0e18b800-906c-4e44-a143-b11c72b3448b", "value": "FLIPSIDE - S0173" }, { "description": "[POWERTON](https://attack.mitre.org/software/S0371) is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a late-stage backdoor by [APT33](https://attack.mitre.org/groups/G0064). At least two variants of the backdoor have been identified, with the later version containing improved functionality.(Citation: FireEye APT33 Guardrail)", "meta": { "external_id": "S0371", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0371", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" ], "synonyms": [ "POWERTON" ] }, "related": [ { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "e85cae1a-bce3-4ac4-b36b-b00acac0567b", "value": "POWERTON - S0371" }, { "description": "[Marcher](https://attack.mitre.org/software/S0317) is Android malware that is used for financial fraud. (Citation: Proofpoint-Marcher)", "meta": { "external_id": "S0317", "refs": [ "https://attack.mitre.org/software/S0317", "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks" ] }, "related": [ { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc", "type": "uses" } ], "uuid": "f9854ba6-989d-43bf-828b-7240b8a65291", "value": "Marcher - S0317" }, { "description": "[Royal](https://attack.mitre.org/software/S1073) is ransomware that first appeared in early 2022; a version that also targets ESXi servers was later observed in February 2023. [Royal](https://attack.mitre.org/software/S1073) employs partial encryption and multiple threads to evade detection and speed encryption. [Royal](https://attack.mitre.org/software/S1073) has been used in attacks against multiple industries worldwide--including critical infrastructure. Security researchers have identified similarities in the encryption routines and TTPs used in [Royal](https://attack.mitre.org/software/S1073) and [Conti](https://attack.mitre.org/software/S0575) attacks and noted a possible connection between their operators.(Citation: Microsoft Royal ransomware November 2022)(Citation: Cybereason Royal December 2022)(Citation: Kroll Royal Deep Dive February 2023)(Citation: Trend Micro Royal Linux ESXi February 2023)(Citation: CISA Royal AA23-061A March 2023)", "meta": { "external_id": "S1073", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1073", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a", "https://www.cybereason.com/blog/royal-ransomware-analysis", "https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive", "https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/", "https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html" ], "synonyms": [ "Royal" ] }, "related": [ { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "802a874d-7463-4f2a-99e3-6a1f5a919a21", "value": "Royal - S1073" }, { "description": "[OLDBAIT](https://attack.mitre.org/software/S0138) is a credential harvester used by [APT28](https://attack.mitre.org/groups/G0007). (Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)", "meta": { "external_id": "S0138", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0138", "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" ], "synonyms": [ "OLDBAIT", "Sasfis" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "6d1e2736-d363-49aa-9054-9c9e4ac0c520", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", "value": "OLDBAIT - S0138" }, { "description": "[FlawedAmmyy](https://attack.mitre.org/software/S0381) is a remote access tool (RAT) that was first seen in early 2016. The code for [FlawedAmmyy](https://attack.mitre.org/software/S0381) was based on leaked source code for a version of Ammyy Admin, a remote access software.(Citation: Proofpoint TA505 Mar 2018)", "meta": { "external_id": "S0381", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0381", "https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware" ], "synonyms": [ "FlawedAmmyy" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, { "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "type": "uses" }, { "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "432555de-63bf-4f2a-a3fa-f720a4561078", "value": "FlawedAmmyy - S0381" }, { "description": "[Chameleon](https://attack.mitre.org/software/S1083) is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, [Chameleon](https://attack.mitre.org/software/S1083) has been observed targeting users in Australia and Poland by masquerading as official apps.(Citation: cyble_chameleon_0423)", "meta": { "external_id": "S1083", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S1083", "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/" ], "synonyms": [ "Chameleon" ] }, "related": [ { "dest-uuid": "0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "type": "uses" }, { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", "type": "uses" }, { "dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "type": "uses" }, { "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "type": "uses" }, { "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "type": "uses" }, { "dest-uuid": "948a447c-d783-4ba0-8516-a64140fcacd5", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" } ], "uuid": "2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "value": "Chameleon - S1083" }, { "description": "[HAWKBALL](https://attack.mitre.org/software/S0391) is a backdoor that was observed in targeting of the government sector in Central Asia.(Citation: FireEye HAWKBALL Jun 2019)", "meta": { "external_id": "S0391", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0391", "https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html" ], "synonyms": [ "HAWKBALL" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "12a7450d-b03e-4990-a5b8-b405ab9c803b", "value": "HAWKBALL - S0391" }, { "description": "[Allwinner](https://attack.mitre.org/software/S0319) is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) for use on these devices reportedly contained a backdoor. (Citation: HackerNews-Allwinner)", "meta": { "external_id": "S0319", "refs": [ "https://attack.mitre.org/software/S0319", "https://thehackernews.com/2016/05/android-kernal-exploit.html" ] }, "related": [ { "dest-uuid": "9558a84e-2d5e-4872-918e-d847494a8ffc", "type": "uses" } ], "uuid": "08784a9d-09e9-4dce-a839-9612398214e8", "value": "Allwinner - S0319" }, { "description": "[Bumblebee](https://attack.mitre.org/software/S1039) is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. [Bumblebee](https://attack.mitre.org/software/S1039) has been linked to ransomware operations including [Conti](https://attack.mitre.org/software/S0575), Quantum, and Mountlocker and derived its name from the appearance of \"bumblebee\" in the user-agent.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)\n", "meta": { "external_id": "S1039", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1039", "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming" ], "synonyms": [ "Bumblebee" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "6e3bd510-6b33-41a4-af80-2d80f3ee0071", "type": "uses" }, { "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", "type": "uses" }, { "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "04378e79-4387-468a-a8f7-f974b8254e44", "value": "Bumblebee - S1039" }, { "description": "[PowerDuke](https://attack.mitre.org/software/S0139) is a backdoor that was used by [APT29](https://attack.mitre.org/groups/G0016) in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros. (Citation: Volexity PowerDuke November 2016)", "meta": { "external_id": "S0139", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0139", "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" ], "synonyms": [ "PowerDuke" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "c79f5876-e3b9-417a-8eaf-8f1b01a0fecd", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", "value": "PowerDuke - S0139" }, { "description": "[FlyTrap](https://attack.mitre.org/software/S1093) is an Android trojan, first detected in March 2021, that uses social engineering tactics to compromise Facebook accounts. [FlyTrap](https://attack.mitre.org/software/S1093) was initially detected through infected apps on the Google Play store, and is believed to have impacted over 10,000 victims across at least 140 countries.(Citation: Trend Micro FlyTrap) ", "meta": { "external_id": "S1093", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S1093", "https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/" ], "synonyms": [ "FlyTrap" ] }, "related": [ { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "type": "uses" }, { "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" } ], "uuid": "8338393c-cb2e-4ee6-b944-34672499c785", "value": "FlyTrap - S1093" }, { "description": "[BabyShark](https://attack.mitre.org/software/S0414) is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. (Citation: Unit42 BabyShark Feb 2019)", "meta": { "external_id": "S0414", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0414", "https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/" ], "synonyms": [ "BabyShark" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "d1b7830a-fced-4be3-a99c-f495af9d9e1b", "value": "BabyShark - S0414" }, { "description": "[ChChes](https://attack.mitre.org/software/S0144) is a Trojan that appears to be used exclusively by [menuPass](https://attack.mitre.org/groups/G0045). It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. (Citation: Palo Alto menuPass Feb 2017) (Citation: JPCERT ChChes Feb 2017) (Citation: PWC Cloud Hopper Technical Annex April 2017)", "meta": { "external_id": "S0144", "mitre_platforms": [ "Windows" ], "refs": [ "http://blog.jpcert.or.jp/2017/02/chches-malware--93d6.html", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", "https://attack.mitre.org/software/S0144", "https://twitter.com/ItsReallyNick/status/850105140589633536", "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", "https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" ], "synonyms": [ "ChChes", "Scorpion", "HAYMAKER" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "6eee9bf9-ffce-4c88-a5ad-9d80f6fc727c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "d71604d2-a17e-4b4e-82be-19cb54f93161", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", "value": "ChChes - S0144" }, { "description": "[FunnyDream](https://attack.mitre.org/software/S1044) is a backdoor with multiple components that was used during the [FunnyDream](https://attack.mitre.org/campaigns/C0007) campaign since at least 2019, primarily for execution and exfiltration.(Citation: Bitdefender FunnyDream Campaign November 2020)", "meta": { "external_id": "S1044", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1044", "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" ], "synonyms": [ "FunnyDream" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "be25c1c0-1590-4219-a3d5-6f31799d1d1b", "value": "FunnyDream - S1044" }, { "description": "[PowerShower](https://attack.mitre.org/software/S0441) is a PowerShell backdoor used by [Inception](https://attack.mitre.org/groups/G0100) for initial reconnaissance and to download and execute second stage payloads.(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas August 2019)", "meta": { "external_id": "S0441", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0441", "https://securelist.com/recent-cloud-atlas-activity/92016/", "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/" ], "synonyms": [ "PowerShower" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" } ], "uuid": "53486bc7-7748-4716-8190-e4f1fde04c53", "value": "PowerShower - S0441" }, { "description": "[BOOSTWRITE](https://attack.mitre.org/software/S0415) is a loader crafted to be launched via abuse of the DLL search order of applications used by [FIN7](https://attack.mitre.org/groups/G0046).(Citation: FireEye FIN7 Oct 2019)", "meta": { "external_id": "S0415", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0415", "https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html" ], "synonyms": [ "BOOSTWRITE" ] }, "related": [ { "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" } ], "uuid": "56d10a7f-bb42-4267-9b4c-63abb9c06010", "value": "BOOSTWRITE - S0415" }, { "description": "[POWERSOURCE](https://attack.mitre.org/software/S0145) is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. (Citation: FireEye FIN7 March 2017) (Citation: Cisco DNSMessenger March 2017)", "meta": { "external_id": "S0145", "mitre_platforms": [ "Windows" ], "refs": [ "http://blog.talosintelligence.com/2017/03/dnsmessenger.html", "https://attack.mitre.org/software/S0145", "https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" ], "synonyms": [ "POWERSOURCE", "DNSMessenger" ] }, "related": [ { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ee8ccb36-2596-43a3-a044-b8721dbeb2ab", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "type": "uses" } ], "uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", "value": "POWERSOURCE - S0145" }, { "description": "[Drinik](https://attack.mitre.org/software/S1054) is an evolving Android banking trojan that was observed targeting customers of around 27 banks in India in August 2021. Initially seen as an SMS stealer in 2016, [Drinik](https://attack.mitre.org/software/S1054) resurfaced as a banking trojan with more advanced capabilities included in subsequent versions between September 2021 and August 2022.(Citation: cyble_drinik_1022)", "meta": { "external_id": "S1054", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S1054", "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/" ], "synonyms": [ "Drinik" ] }, "related": [ { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", "type": "uses" }, { "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "type": "uses" }, { "dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "type": "uses" }, { "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", "type": "uses" }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "type": "uses" }, { "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "type": "uses" } ], "uuid": "d6e009b7-df5e-447a-bfd2-d5b77374edfe", "value": "Drinik - S1054" }, { "description": "[LoudMiner](https://attack.mitre.org/software/S0451) is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.(Citation: ESET LoudMiner June 2019)", "meta": { "external_id": "S0451", "mitre_platforms": [ "macOS", "Windows" ], "refs": [ "https://attack.mitre.org/software/S0451", "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/" ], "synonyms": [ "LoudMiner" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, { "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "810aa4ad-61c9-49cb-993f-daa06199421d", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", "type": "uses" }, { "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" } ], "uuid": "f99f3dcc-683f-4936-8791-075ac5e58f10", "value": "LoudMiner - S0451" }, { "description": "[WellMess](https://attack.mitre.org/software/S0514) is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by [APT29](https://attack.mitre.org/groups/G0016).(Citation: CISA WellMess July 2020)(Citation: PWC WellMess July 2020)(Citation: NCSC APT29 July 2020)", "meta": { "external_id": "S0514", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0514", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b", "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf", "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" ], "synonyms": [ "WellMess" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade", "type": "uses" } ], "uuid": "3a4197ae-ec63-4162-907b-9a073d1157e4", "value": "WellMess - S0514" }, { "description": "[TEXTMATE](https://attack.mitre.org/software/S0146) is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with [POWERSOURCE](https://attack.mitre.org/software/S0145) in February 2017. (Citation: FireEye FIN7 March 2017)", "meta": { "external_id": "S0146", "mitre_platforms": [ "Windows" ], "refs": [ "http://blog.talosintelligence.com/2017/03/dnsmessenger.html", "https://attack.mitre.org/software/S0146", "https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" ], "synonyms": [ "TEXTMATE", "DNSMessenger" ] }, "related": [ { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "ee8ccb36-2596-43a3-a044-b8721dbeb2ab", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", "value": "TEXTMATE - S0146" }, { "description": "[CostaBricks](https://attack.mitre.org/software/S0614) is a loader that was used to deploy 32-bit backdoors in the [CostaRicto](https://attack.mitre.org/groups/G0132) campaign.(Citation: BlackBerry CostaRicto November 2020)", "meta": { "external_id": "S0614", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0614", "https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" ], "synonyms": [ "CostaBricks" ] }, "related": [ { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "5d342981-5194-41e7-b33f-8e91998d7d88", "value": "CostaBricks - S0614" }, { "description": "[SDBbot](https://attack.mitre.org/software/S0461) is a backdoor with installer and loader components that has been used by [TA505](https://attack.mitre.org/groups/G0092) since at least 2019.(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)", "meta": { "external_id": "S0461", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0461", "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/", "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" ], "synonyms": [ "SDBbot" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", "type": "uses" }, { "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", "type": "uses" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "92b03a94-7147-4952-9d5a-b4d24da7487c", "value": "SDBbot - S0461" }, { "description": "[SVCReady](https://attack.mitre.org/software/S1064) is a loader that has been used since at least April 2022 in malicious spam campaigns. Security researchers have noted overlaps between [TA551](https://attack.mitre.org/groups/G0127) activity and [SVCReady](https://attack.mitre.org/software/S1064) distribution, including similarities in file names, lure images, and identical grammatical errors.(Citation: HP SVCReady Jun 2022)", "meta": { "external_id": "S1064", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1064", "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/" ], "synonyms": [ "SVCReady" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "7230ded7-3b1a-4d6e-9735-d0ffd47af9f6", "value": "SVCReady - S1064" }, { "description": "[RDFSNIFFER](https://attack.mitre.org/software/S0416) is a module loaded by [BOOSTWRITE](https://attack.mitre.org/software/S0415) which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.(Citation: FireEye FIN7 Oct 2019)", "meta": { "external_id": "S0416", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0416", "https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html" ], "synonyms": [ "RDFSNIFFER" ] }, "related": [ { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", "type": "uses" } ], "uuid": "065196de-d7e8-4888-acfb-b2134022ba1b", "value": "RDFSNIFFER - S0416" }, { "description": "[TDTESS](https://attack.mitre.org/software/S0164) is a 64-bit .NET binary backdoor used by [CopyKittens](https://attack.mitre.org/groups/G0052). (Citation: ClearSky Wilted Tulip July 2017)", "meta": { "external_id": "S0164", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf", "https://attack.mitre.org/software/S0164" ], "synonyms": [ "TDTESS" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "99d83ee8-6870-4af2-a3c8-cf86baff7cb3", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", "value": "TDTESS - S0164" }, { "description": "[PowGoop](https://attack.mitre.org/software/S1046) is a loader that consists of a DLL loader and a PowerShell-based downloader; it has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) as their main loader.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: CYBERCOM Iranian Intel Cyber January 2022)", "meta": { "external_id": "S1046", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1046", "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a", "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/" ], "synonyms": [ "PowGoop" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", "type": "uses" }, { "dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" } ], "uuid": "c19d19ae-dd58-4584-8469-966bbeaa80e3", "value": "PowGoop - S1046" }, { "description": "[Kobalos](https://attack.mitre.org/software/S0641) is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. [Kobalos](https://attack.mitre.org/software/S0641) has been deployed against high profile targets, including high-performance computers, academic servers, an endpoint security vendor, and a large internet service provider; it has been found in Europe, North America, and Asia. [Kobalos](https://attack.mitre.org/software/S0641) was first identified in late 2019.(Citation: ESET Kobalos Feb 2021)(Citation: ESET Kobalos Jan 2021)", "meta": { "external_id": "S0641", "mitre_platforms": [ "Linux" ], "refs": [ "https://attack.mitre.org/software/S0641", "https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf" ], "synonyms": [ "Kobalos" ] }, "related": [ { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "type": "uses" }, { "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", "type": "uses" }, { "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "type": "uses" }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" } ], "uuid": "9abdda30-08e0-4ab1-9cf0-d447654c6de9", "value": "Kobalos - S0641" }, { "description": "[ANDROMEDA](https://attack.mitre.org/software/S1074) is commodity malware that was widespread in the early 2010's and continues to be observed in infections across a wide variety of industries. During the 2022 [C0026](https://attack.mitre.org/campaigns/C0026) campaign, threat actors re-registered expired [ANDROMEDA](https://attack.mitre.org/software/S1074) C2 domains to spread malware to select targets in Ukraine.(Citation: Mandiant Suspected Turla Campaign February 2023)", "meta": { "external_id": "S1074", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1074", "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" ], "synonyms": [ "ANDROMEDA" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471", "type": "uses" }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "dcd9548e-df9e-47c2-81f3-bc084289959d", "value": "ANDROMEDA - S1074" }, { "description": "[GRIFFON](https://attack.mitre.org/software/S0417) is a JavaScript backdoor used by [FIN7](https://attack.mitre.org/groups/G0046). (Citation: SecureList Griffon May 2019)", "meta": { "external_id": "S0417", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0417", "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/" ], "synonyms": [ "GRIFFON" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "04fc1842-f9e4-47cf-8cb8-5c61becad142", "value": "GRIFFON - S0417" }, { "description": "[Mori](https://attack.mitre.org/software/S1047) is a backdoor that has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least January 2022.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: CYBERCOM Iranian Intel Cyber January 2022)", "meta": { "external_id": "S1047", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1047", "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a", "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/" ], "synonyms": [ "Mori" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade", "type": "uses" } ], "uuid": "7e100ca4-e639-48d9-9a9d-8ad84aa7b448", "value": "Mori - S1047" }, { "description": "[Pteranodon](https://attack.mitre.org/software/S0147) is a custom backdoor used by [Gamaredon Group](https://attack.mitre.org/groups/G0047). (Citation: Palo Alto Gamaredon Feb 2017)", "meta": { "external_id": "S0147", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0147", "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://www.secureworks.com/research/threat-profiles/iron-tilden" ], "synonyms": [ "Pteranodon", "Pterodo" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "type": "uses" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d5138738-846e-4466-830c-cd2bb6ad09cf", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ea4c2f9c-9df1-477c-8c42-6da1118f2ac4", "type": "uses" } ], "uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", "value": "Pteranodon - S0147" }, { "description": "[build_downer](https://attack.mitre.org/software/S0471) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)", "meta": { "external_id": "S0471", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0471", "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" ], "synonyms": [ "build_downer" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40", "value": "build_downer - S0471" }, { "description": "[QUIETEXIT](https://attack.mitre.org/software/S1084) is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021. [APT29](https://attack.mitre.org/groups/G0016) has deployed [QUIETEXIT](https://attack.mitre.org/software/S1084) on opaque network appliances that typically don't support antivirus or endpoint detection and response tools within a victim environment.(Citation: Mandiant APT29 Eye Spy Email Nov 22)", "meta": { "external_id": "S1084", "mitre_platforms": [ "Network" ], "refs": [ "https://attack.mitre.org/software/S1084", "https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" ], "synonyms": [ "QUIETEXIT" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "type": "uses" }, { "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" } ], "uuid": "4816d361-f82b-4a18-aa05-b215e7cf9200", "value": "QUIETEXIT - S1084" }, { "description": "[POWRUNER](https://attack.mitre.org/software/S0184) is a PowerShell script that sends and receives commands to and from the C2 server. (Citation: FireEye APT34 Dec 2017)", "meta": { "external_id": "S0184", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0184", "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" ], "synonyms": [ "POWRUNER" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "63f6df51-4de3-495a-864f-0a7e30c3b419", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", "value": "POWRUNER - S0184" }, { "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", "meta": { "external_id": "S0418", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0418", "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/", "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" ], "synonyms": [ "ViceLeaker", "Triout" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "type": "uses" }, { "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "type": "uses" } ], "uuid": "6fcaf9b0-b509-4644-9f93-556222c81ed2", "value": "ViceLeaker - S0418" }, { "description": "[RTM](https://attack.mitre.org/software/S0148) is custom malware written in Delphi. It is used by the group of the same name ([RTM](https://attack.mitre.org/groups/G0048)). Newer versions of the malware have been reported publicly as Redaman.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)", "meta": { "external_id": "S0148", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0148", "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/", "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" ], "synonyms": [ "RTM", "Redaman" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "e6952b4d-e96d-4641-a88f-60074776d553", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" } ], "uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "value": "RTM - S0148" }, { "description": "[BRATA](https://attack.mitre.org/software/S1094) (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, [BRATA](https://attack.mitre.org/software/S1094) was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of [BRATA](https://attack.mitre.org/software/S1094).(Citation: securelist_brata_0819)(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)", "meta": { "external_id": "S1094", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S1094", "https://securelist.com/spying-android-rat-from-brazil-brata/92775/", "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/" ], "synonyms": [ "BRATA" ] }, "related": [ { "dest-uuid": "0b761f2b-197a-40f2-b100-8152cb957c0c", "type": "uses" }, { "dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3", "type": "uses" }, { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "1d44f529-6fe6-489f-8a01-6261ac43f05e", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "24a77e53-0751-46fc-b207-99378fb35c08", "type": "uses" }, { "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", "type": "uses" }, { "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "type": "uses" }, { "dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "51636761-2e35-44bf-9e56-e337adf97174", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe", "type": "uses" }, { "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "type": "uses" }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "type": "uses" }, { "dest-uuid": "74e6003f-c7f4-4047-983b-708cc19b96b6", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "9ef14445-6f35-4ed0-a042-5024f13a9242", "type": "uses" }, { "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62", "type": "uses" }, { "dest-uuid": "defc1257-4db1-4fb3-8ef5-bb77f63146df", "type": "uses" }, { "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec", "type": "uses" }, { "dest-uuid": "e422b6fa-4739-46b9-992e-82f1b350c780", "type": "uses" } ], "uuid": "5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "value": "BRATA - S1094" }, { "description": "[SUGARUSH](https://attack.mitre.org/software/S1049) is a small custom backdoor that can establish a reverse shell over TCP to a hard coded C2 address. [SUGARUSH](https://attack.mitre.org/software/S1049) was first identified during analysis of UNC3890's [C0010](https://attack.mitre.org/campaigns/C0010) campaign targeting Israeli companies, which began in late 2020.(Citation: Mandiant UNC3890 Aug 2022)", "meta": { "external_id": "S1049", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1049", "https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping" ], "synonyms": [ "SUGARUSH" ] }, "related": [ { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" } ], "uuid": "44e2a842-415b-47f4-8549-83fbdb8a5674", "value": "SUGARUSH - S1049" }, { "description": "[SimBad](https://attack.mitre.org/software/S0419) was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name \"SimBad\" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.(Citation: CheckPoint SimBad 2019)", "meta": { "external_id": "S0419", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0419", "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/" ], "synonyms": [ "SimBad" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, { "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "type": "uses" }, { "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "type": "uses" } ], "uuid": "f79c01eb-2954-40d8-a819-00b342f47ce7", "value": "SimBad - S0419" }, { "description": "[MoonWind](https://attack.mitre.org/software/S0149) is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. (Citation: Palo Alto MoonWind March 2017)", "meta": { "external_id": "S0149", "mitre_platforms": [ "Windows" ], "refs": [ "http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/", "https://attack.mitre.org/software/S0149" ], "synonyms": [ "MoonWind" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "76ec1827-68a1-488f-9899-2b788ea8db64", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8465177f-16c8-47fc-a4c8-f4c0409fe460", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "f266754c-d0aa-4918-95a3-73b28eaa66e3", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", "value": "MoonWind - S0149" }, { "description": "[StrongPity](https://attack.mitre.org/software/S0491) is an information stealing malware used by [PROMETHIUM](https://attack.mitre.org/groups/G0056).(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)", "meta": { "external_id": "S0491", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0491", "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf" ], "synonyms": [ "StrongPity" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" } ], "uuid": "20945359-3b39-4542-85ef-08ecb4e1c174", "value": "StrongPity - S0491" }, { "description": "[SharkBot](https://attack.mitre.org/software/S1055) is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.(Citation: nccgroup_sharkbot_0322)", "meta": { "external_id": "S1055", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S1055", "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" ], "synonyms": [ "SharkBot" ] }, "related": [ { "dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3", "type": "uses" }, { "dest-uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "type": "uses" }, { "dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "28fdd23d-aee3-4afe-bc3f-5f1f52929258", "type": "uses" }, { "dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "type": "uses" }, { "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "type": "uses" }, { "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "bb4387ab-7a51-468b-bf5f-a9a8612f0303", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62", "type": "uses" }, { "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "type": "uses" }, { "dest-uuid": "fd211238-f767-4599-8c0d-9dca36624626", "type": "uses" } ], "uuid": "9cd72f5c-bec0-4f7e-bb6d-296937116291", "value": "SharkBot - S1055" }, { "description": "[WINDSHIELD](https://attack.mitre.org/software/S0155) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)", "meta": { "external_id": "S0155", "refs": [ "https://attack.mitre.org/software/S0155", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" } ], "uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", "value": "WINDSHIELD - S0155" }, { "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) is a piece of Android malware that has been used in targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China. Samples have been found as early as 2012.(Citation: Lookout Uyghur Campaign)", "meta": { "external_id": "S0551", "refs": [ "https://attack.mitre.org/software/S0551", "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" ], "synonyms": [ "GoldenEagle" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", "type": "uses" } ], "uuid": "0b9c5d11-651a-4378-b129-5c584d0242c5", "value": "GoldenEagle - S0551" }, { "description": "[WellMail](https://attack.mitre.org/software/S0515) is a lightweight malware written in Golang used by [APT29](https://attack.mitre.org/groups/G0016), similar in design and structure to [WellMess](https://attack.mitre.org/software/S0514).(Citation: CISA WellMail July 2020)(Citation: NCSC APT29 July 2020)", "meta": { "external_id": "S0515", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0515", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c", "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" ], "synonyms": [ "WellMail" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "959f3b19-2dc8-48d5-8942-c66813a5101a", "value": "WellMail - S0515" }, { "description": "[SombRAT](https://attack.mitre.org/software/S0615) is a modular backdoor written in C++ that has been used since at least 2019 to download and execute malicious payloads, including [FIVEHANDS](https://attack.mitre.org/software/S0618) ransomware.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021)", "meta": { "external_id": "S0615", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0615", "https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html" ], "synonyms": [ "SombRAT" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1", "type": "uses" } ], "uuid": "425771c5-48b4-4ecd-9f95-74ed3fc9da59", "value": "SombRAT - S0615" }, { "description": "[BoxCaon](https://attack.mitre.org/software/S0651) is a Windows backdoor that was used by [IndigoZebra](https://attack.mitre.org/groups/G0136) in a 2021 spearphishing campaign against Afghan government officials. [BoxCaon](https://attack.mitre.org/software/S0651)'s name stems from similarities shared with the malware family [xCaon](https://attack.mitre.org/software/S0653).(Citation: Checkpoint IndigoZebra July 2021)", "meta": { "external_id": "S0651", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0651", "https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/", "https://thehackernews.com/2021/07/indigozebra-apt-hacking-campaign.html" ], "synonyms": [ "BoxCaon" ] }, "related": [ { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "919a056e-5104-43b9-ad55-2ac929108b71", "value": "BoxCaon - S0651" }, { "description": "[SoreFang](https://attack.mitre.org/software/S0516) is first stage downloader used by [APT29](https://attack.mitre.org/groups/G0016) for exfiltration and to load other malware.(Citation: NCSC APT29 July 2020)(Citation: CISA SoreFang July 2016)", "meta": { "external_id": "S0516", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0516", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" ], "synonyms": [ "SoreFang" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "e33e4603-afab-402d-b2a1-248d435b5fe0", "value": "SoreFang - S0516" }, { "description": "[KOMPROGO](https://attack.mitre.org/software/S0156) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050) that is capable of process, file, and registry management. (Citation: FireEye APT32 May 2017)", "meta": { "external_id": "S0156", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0156", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" ], "synonyms": [ "KOMPROGO" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" } ], "uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a", "value": "KOMPROGO - S0156" }, { "description": "[GuLoader](https://attack.mitre.org/software/S0561) is a file downloader that has been used since at least December 2019 to distribute a variety of remote administration tool (RAT) malware, including [NETWIRE](https://attack.mitre.org/software/S0198), [Agent Tesla](https://attack.mitre.org/software/S0331), [NanoCore](https://attack.mitre.org/software/S0336), FormBook, and Parallax RAT.(Citation: Unit 42 NETWIRE April 2020)(Citation: Medium Eli Salem GuLoader April 2021)", "meta": { "external_id": "S0561", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0561", "https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4", "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/" ], "synonyms": [ "GuLoader" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "45c759ac-b490-48bb-80d4-c8eee3431027", "value": "GuLoader - S0561" }, { "description": "[OSInfo](https://attack.mitre.org/software/S0165) is a custom tool used by [APT3](https://attack.mitre.org/groups/G0022) to do internal discovery on a victim's computer and network. (Citation: Symantec Buckeye)", "meta": { "external_id": "S0165", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", "https://attack.mitre.org/software/S0165" ], "synonyms": [ "OSInfo" ] }, "related": [ { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" } ], "uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", "value": "OSInfo - S0165" }, { "description": "[TianySpy](https://attack.mitre.org/software/S1056) is a mobile malware primarily spread by SMS phishing between September 30 and October 12, 2021. [TianySpy](https://attack.mitre.org/software/S1056) is believed to have targeted credentials associated with membership websites of major Japanese telecommunication services.(Citation: trendmicro_tianyspy_0122) ", "meta": { "external_id": "S1056", "mitre_platforms": [ "Android", "iOS" ], "refs": [ "https://attack.mitre.org/software/S1056", "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html" ], "synonyms": [ "TianySpy" ] }, "related": [ { "dest-uuid": "29f1f56c-7b7a-4c14-9e39-59577ea2743c", "type": "uses" }, { "dest-uuid": "3e091a89-a493-4a6c-8e88-d57be19bb98d", "type": "uses" }, { "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "be63612f-a48f-44f2-a7a6-1763509fcf80", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", "type": "uses" } ], "uuid": "fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "value": "TianySpy - S1056" }, { "description": "[KOPILUWAK](https://attack.mitre.org/software/S1075) is a JavaScript-based reconnaissance tool that has been used for victim profiling and C2 since at least 2017.(Citation: Mandiant Suspected Turla Campaign February 2023)", "meta": { "external_id": "S1075", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1075", "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" ], "synonyms": [ "KOPILUWAK" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "09fcc02f-f9d4-43fa-8609-5e5e186b7103", "value": "KOPILUWAK - S1075" }, { "description": "[SOUNDBITE](https://attack.mitre.org/software/S0157) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)", "meta": { "external_id": "S0157", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0157", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" ], "synonyms": [ "SOUNDBITE" ] }, "related": [ { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "f4cac204-3d3f-4bb6-84bd-fc27b2f5158c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", "value": "SOUNDBITE - S0157" }, { "description": "[Pillowmint](https://attack.mitre.org/software/S0517) is a point-of-sale malware used by [FIN7](https://attack.mitre.org/groups/G0046) designed to capture credit card information.(Citation: Trustwave Pillowmint June 2020)", "meta": { "external_id": "S0517", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0517", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/" ], "synonyms": [ "Pillowmint" ] }, "related": [ { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" } ], "uuid": "bd7a9e13-69fa-4243-a5e5-04326a63f9f2", "value": "Pillowmint - S0517" }, { "description": "[SEASHARPEE](https://attack.mitre.org/software/S0185) is a Web shell that has been used by [OilRig](https://attack.mitre.org/groups/G0049). (Citation: FireEye APT34 Webinar Dec 2017)", "meta": { "external_id": "S0185", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0185", "https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east" ], "synonyms": [ "SEASHARPEE" ] }, "related": [ { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "0998045d-f96e-4284-95ce-3c8219707486", "value": "SEASHARPEE - S0185" }, { "description": "[PHOREAL](https://attack.mitre.org/software/S0158) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)", "meta": { "external_id": "S0158", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0158", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" ], "synonyms": [ "PHOREAL" ] }, "related": [ { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" } ], "uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", "value": "PHOREAL - S0158" }, { "description": "[PolyglotDuke](https://attack.mitre.org/software/S0518) is a downloader that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2013. [PolyglotDuke](https://attack.mitre.org/software/S0518) has been used to drop [MiniDuke](https://attack.mitre.org/software/S0051).(Citation: ESET Dukes October 2019)", "meta": { "external_id": "S0518", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0518", "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" ], "synonyms": [ "PolyglotDuke" ] }, "related": [ { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" } ], "uuid": "3d57dcc4-be99-4613-9482-d5218f5ec13e", "value": "PolyglotDuke - S0518" }, { "description": "[Prestige](https://attack.mitre.org/software/S1058) ransomware has been used by [Sandworm Team](https://attack.mitre.org/groups/G0034) since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.(Citation: Microsoft Prestige ransomware October 2022)", "meta": { "external_id": "S1058", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1058", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" ], "synonyms": [ "Prestige" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "1da748a5-875d-4212-9222-b4c23ab861be", "value": "Prestige - S1058" }, { "description": "[Sardonic](https://attack.mitre.org/software/S1085) is a backdoor written in C and C++ that is known to be used by [FIN8](https://attack.mitre.org/groups/G0061), as early as August 2021 to target a financial institution in the United States. [Sardonic](https://attack.mitre.org/software/S1085) has a plugin system that can load specially made DLLs and execute their functions.(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)", "meta": { "external_id": "S1085", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1085", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor", "https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf" ], "synonyms": [ "Sardonic" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "type": "uses" }, { "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "0c52f5bc-557d-4083-bd27-66d7cdb794bb", "value": "Sardonic - S1085" }, { "description": "[AhRat](https://attack.mitre.org/software/S1095) is an Android remote access tool based on the open-source AhMyth remote access tool. [AhRat](https://attack.mitre.org/software/S1095) initially spread in August 2022 on the Google Play Store via an update containing malicious code to the previously benign application, “iRecorder – Screen Recorder”, which itself was released in September 2021.(Citation: welivesecurity_ahrat_0523)", "meta": { "external_id": "S1095", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S1095", "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/" ], "synonyms": [ "AhRat" ] }, "related": [ { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "type": "uses" }, { "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, { "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", "type": "uses" } ], "uuid": "24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "value": "AhRat - S1095" }, { "description": "[SNUGRIDE](https://attack.mitre.org/software/S0159) is a backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045) as first stage malware. (Citation: FireEye APT10 April 2017)", "meta": { "external_id": "S0159", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0159", "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" ], "synonyms": [ "SNUGRIDE" ] }, "related": [ { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "6a42aa10-5b7e-43b0-8c58-414cdaeda453", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", "value": "SNUGRIDE - S0159" }, { "description": "[metaMain](https://attack.mitre.org/software/S1059) is a backdoor used by [Metador](https://attack.mitre.org/groups/G1013) to maintain long-term access to compromised machines; it has also been used to decrypt [Mafalda](https://attack.mitre.org/software/S1060) into memory.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)", "meta": { "external_id": "S1059", "mitre_platforms": [ "Windows" ], "refs": [ "https://assets.sentinelone.com/sentinellabs22/metador#page=1", "https://attack.mitre.org/software/S1059", "https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm" ], "synonyms": [ "metaMain" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" } ], "uuid": "df350889-4de9-44e5-8cb3-888b8343e97c", "value": "metaMain - S1059" }, { "description": "[DEATHRANSOM](https://attack.mitre.org/software/S0616) is ransomware written in C that has been used since at least 2020, and has potential overlap with [FIVEHANDS](https://attack.mitre.org/software/S0618) and [HELLOKITTY](https://attack.mitre.org/software/S0617).(Citation: FireEye FiveHands April 2021)", "meta": { "external_id": "S0616", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0616", "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html" ], "synonyms": [ "DEATHRANSOM" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "6de9cad1-eed2-4e27-b0b5-39fa29349ea0", "value": "DEATHRANSOM - S0616" }, { "description": "[RemoteCMD](https://attack.mitre.org/software/S0166) is a custom tool used by [APT3](https://attack.mitre.org/groups/G0022) to execute commands on a remote system similar to SysInternal's PSEXEC functionality. (Citation: Symantec Buckeye)", "meta": { "external_id": "S0166", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", "https://attack.mitre.org/software/S0166" ], "synonyms": [ "RemoteCMD" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" } ], "uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26", "value": "RemoteCMD - S0166" }, { "description": "[DarkTortilla](https://attack.mitre.org/software/S1066) is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. [DarkTortilla](https://attack.mitre.org/software/S1066) has been used to deliver popular information stealers, RATs, and payloads such as [Agent Tesla](https://attack.mitre.org/software/S0331), AsyncRat, [NanoCore](https://attack.mitre.org/software/S0336), RedLine, [Cobalt Strike](https://attack.mitre.org/software/S0154), and Metasploit.(Citation: Secureworks DarkTortilla Aug 2022)", "meta": { "external_id": "S1066", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1066", "https://www.secureworks.com/research/darktortilla-malware-analysis" ], "synonyms": [ "DarkTortilla" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" }, { "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", "type": "uses" } ], "uuid": "5faaf81a-aa5b-4a4b-bae5-522439e068f8", "value": "DarkTortilla - S1066" }, { "description": "[FoggyWeb](https://attack.mitre.org/software/S0661) is a passive and highly-targeted backdoor capable of remotely exfiltrating sensitive information from a compromised Active Directory Federated Services (AD FS) server. It has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least early April 2021.(Citation: MSTIC FoggyWeb September 2021)", "meta": { "external_id": "S0661", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0661", "https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/" ], "synonyms": [ "FoggyWeb" ] }, "related": [ { "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", "type": "uses" }, { "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", "type": "uses" }, { "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "72911fe3-f085-40f7-b4f2-f25a4221fe44", "value": "FoggyWeb - S0661" }, { "description": "[QUIETCANARY](https://attack.mitre.org/software/S1076) is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.(Citation: Mandiant Suspected Turla Campaign February 2023)", "meta": { "external_id": "S1076", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1076", "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" ], "synonyms": [ "QUIETCANARY", "Tunnus" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "93289ecf-4d15-4d6b-a9c3-4ab27e145ef4", "value": "QUIETCANARY - S1076" }, { "description": "[FluBot](https://attack.mitre.org/software/S1067) is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524)", "meta": { "external_id": "S1067", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S1067", "https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/", "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon" ], "synonyms": [ "FluBot" ] }, "related": [ { "dest-uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "24a77e53-0751-46fc-b207-99378fb35c08", "type": "uses" }, { "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", "type": "uses" }, { "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "type": "uses" }, { "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "5ca3c7ec-55b2-4587-9376-cf6c96f8047a", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "fd211238-f767-4599-8c0d-9dca36624626", "type": "uses" } ], "uuid": "f5ff006c-702f-4ded-8e60-ca6c540d91bc", "value": "FluBot - S1067" }, { "description": "[HELLOKITTY](https://attack.mitre.org/software/S0617) is a ransomware written in C++ that shares similar code structure and functionality with [DEATHRANSOM](https://attack.mitre.org/software/S0616) and [FIVEHANDS](https://attack.mitre.org/software/S0618). [HELLOKITTY](https://attack.mitre.org/software/S0617) has been used since at least 2020, targets have included a Polish video game developer and a Brazilian electric power company.(Citation: FireEye FiveHands April 2021)", "meta": { "external_id": "S0617", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0617", "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html" ], "synonyms": [ "HELLOKITTY" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "5d11d418-95dd-4377-b782-23160dfa17b4", "value": "HELLOKITTY - S0617" }, { "description": "[Matryoshka](https://attack.mitre.org/software/S0167) is a malware framework used by [CopyKittens](https://attack.mitre.org/groups/G0052) that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015)", "meta": { "external_id": "S0167", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf", "https://attack.mitre.org/software/S0167", "https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf" ], "synonyms": [ "Matryoshka" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", "value": "Matryoshka - S0167" }, { "description": "[Tomiris](https://attack.mitre.org/software/S0671) is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between [Tomiris](https://attack.mitre.org/software/S0671) and [GoldMax](https://attack.mitre.org/software/S0588).(Citation: Kaspersky Tomiris Sep 2021)", "meta": { "external_id": "S0671", "refs": [ "https://attack.mitre.org/software/S0671", "https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/" ], "synonyms": [ "Tomiris" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "327b3a25-9e60-4431-b3b6-93b9c64eacbc", "value": "Tomiris - S0671" }, { "description": "[Wingbird](https://attack.mitre.org/software/S0176) is a backdoor that appears to be a version of commercial software [FinFisher](https://attack.mitre.org/software/S0182). It is reportedly used to attack individual computers instead of networks. It was used by [NEODYMIUM](https://attack.mitre.org/groups/G0055) in a May 2016 campaign. (Citation: Microsoft SIR Vol 21) (Citation: Microsoft NEODYMIUM Dec 2016)", "meta": { "external_id": "S0176", "mitre_platforms": [ "Windows" ], "refs": [ "http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf", "https://attack.mitre.org/software/S0176", "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Wingbird.A!dha" ], "synonyms": [ "Wingbird" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" } ], "uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", "value": "Wingbird - S0176" }, { "description": "[FIVEHANDS](https://attack.mitre.org/software/S0618) is a customized version of [DEATHRANSOM](https://attack.mitre.org/software/S0616) ransomware written in C++. [FIVEHANDS](https://attack.mitre.org/software/S0618) has been used since at least 2021, including in Ransomware-as-a-Service (RaaS) campaigns, sometimes along with [SombRAT](https://attack.mitre.org/software/S0615).(Citation: FireEye FiveHands April 2021)(Citation: NCC Group Fivehands June 2021)", "meta": { "external_id": "S0618", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0618", "https://research.nccgroup.com/2021/06/15/handy-guide-to-a-new-fivehands-ransomware-variant/", "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html" ], "synonyms": [ "FIVEHANDS" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "f464354c-7103-47c6-969b-8766f0157ed2", "value": "FIVEHANDS - S0618" }, { "description": "[BlackCat](https://attack.mitre.org/software/S1068) is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, [BlackCat](https://attack.mitre.org/software/S1068) has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.(Citation: Microsoft BlackCat Jun 2022)(Citation: Sophos BlackCat Jul 2022)(Citation: ACSC BlackCat Apr 2022)", "meta": { "external_id": "S1068", "mitre_platforms": [ "Linux", "Windows" ], "refs": [ "https://attack.mitre.org/software/S1068", "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", "https://www.cyber.gov.au/about-us/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat", "https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/" ], "synonyms": [ "BlackCat", "ALPHV", "Noberus" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" }, { "dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac", "type": "uses" } ], "uuid": "50c44c34-3abb-48ae-9433-a2337de5b0bc", "value": "BlackCat - S1068" }, { "description": "[DownPaper](https://attack.mitre.org/software/S0186) is a backdoor Trojan; its main functionality is to download and run second stage malware. (Citation: ClearSky Charming Kitten Dec 2017)", "meta": { "external_id": "S0186", "mitre_platforms": [ "Windows" ], "refs": [ "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf", "https://attack.mitre.org/software/S0186" ], "synonyms": [ "DownPaper" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "227862fd-ae83-4e3d-bb69-cc1a45a13aed", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", "value": "DownPaper - S0186" }, { "description": "[Gazer](https://attack.mitre.org/software/S0168) is a backdoor used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2016. (Citation: ESET Gazer Aug 2017)", "meta": { "external_id": "S0168", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0168", "https://securelist.com/introducing-whitebear/81638/", "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" ], "synonyms": [ "Gazer", "WhiteBear" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0a3047b3-6a38-48ff-8f9c-49a5c28e3ada", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "type": "uses" } ], "uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", "value": "Gazer - S0168" }, { "description": "[Lizar](https://attack.mitre.org/software/S0681) is a modular remote access tool written using the .NET Framework that shares structural similarities to [Carbanak](https://attack.mitre.org/software/S0030). It has likely been used by [FIN7](https://attack.mitre.org/groups/G0046) since at least February 2021.(Citation: BiZone Lizar May 2021)(Citation: Threatpost Lizar May 2021)(Citation: Gemini FIN7 Oct 2021)", "meta": { "external_id": "S0681", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0681", "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", "https://geminiadvisory.io/fin7-ransomware-bastion-secure/", "https://threatpost.com/fin7-backdoor-ethical-hacking-tool/166194/" ], "synonyms": [ "Lizar", "Tirion" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "4bc31b94-045b-4752-8920-aebaebdb6470", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "f74a5069-015d-4404-83ad-5ca01056c0dc", "value": "Lizar - S0681" }, { "description": "[PUNCHBUGGY](https://attack.mitre.org/software/S0196) is a backdoor malware used by [FIN8](https://attack.mitre.org/groups/G0061) that has been observed targeting POS networks in the hospitality industry. (Citation: Morphisec ShellTea June 2019)(Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)", "meta": { "external_id": "S0196", "mitre_platforms": [ "Windows" ], "refs": [ "http://blog.morphisec.com/security-alert-fin8-is-back", "https://attack.mitre.org/software/S0196", "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html", "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" ], "synonyms": [ "PUNCHBUGGY", "ShellTea" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", "value": "PUNCHBUGGY - S0196" }, { "description": "[TangleBot](https://attack.mitre.org/software/S1069) is SMS malware that was initially observed in September 2021, primarily targeting mobile users in the United States and Canada. [TangleBot](https://attack.mitre.org/software/S1069) has used SMS text message lures about COVID-19 regulations and vaccines to trick mobile users into downloading the malware, similar to [FluBot](https://attack.mitre.org/software/S1067) Android malware campaigns.(Citation: cloudmark_tanglebot_0921)", "meta": { "external_id": "S1069", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S1069", "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19" ], "synonyms": [ "TangleBot" ] }, "related": [ { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" } ], "uuid": "68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "value": "TangleBot - S1069" }, { "description": "[Cheerscrypt](https://attack.mitre.org/software/S1096) is a ransomware that was developed by [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) and has been used in attacks against ESXi and Windows environments since at least 2022. [Cheerscrypt](https://attack.mitre.org/software/S1096) was derived from the leaked [Babuk](https://attack.mitre.org/software/S0638) source code and has infrastructure overlaps with deployments of Night Sky ransomware, which was also derived from [Babuk](https://attack.mitre.org/software/S0638).(Citation: Sygnia Emperor Dragonfly October 2022)(Citation: Trend Micro Cheerscrypt May 2022)", "meta": { "external_id": "S1096", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1096", "https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group", "https://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html" ], "synonyms": [ "Cheerscrypt" ] }, "related": [ { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" } ], "uuid": "5d3fa1db-5041-4560-b87b-8f61cc225c52", "value": "Cheerscrypt - S1096" }, { "description": "[Neoichor](https://attack.mitre.org/software/S0691) is C2 malware used by [Ke3chang](https://attack.mitre.org/groups/G0004) since at least 2019; similar malware families used by the group include Leeson and Numbldea.(Citation: Microsoft NICKEL December 2021)", "meta": { "external_id": "S0691", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0691", "https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe" ], "synonyms": [ "Neoichor" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" }, { "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "type": "uses" }, { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "4d7bf2ac-f953-4907-b114-be44dc174d67", "value": "Neoichor - S0691" }, { "description": "[RawPOS](https://attack.mitre.org/software/S0169) is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008. (Citation: Kroll RawPOS Jan 2017) (Citation: TrendMicro RawPOS April 2015) (Citation: Visa RawPOS March 2015) FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD. (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)", "meta": { "external_id": "S0169", "mitre_platforms": [ "Windows" ], "refs": [ "http://sjc1-te-ftp.trendmicro.com/images/tex/pdf/RawPOS%20Technical%20Brief.pdf", "https://attack.mitre.org/software/S0169", "https://github.com/DiabloHorn/mempdump", "https://usa.visa.com/dam/VCOM/download/merchants/alert-rawpos.pdf", "https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?", "https://www.kroll.com/en/insights/publications/malware-analysis-report-rawpos-malware", "https://www.youtube.com/watch?v=fevGZs0EQu8" ], "synonyms": [ "RawPOS", "FIENDCRY", "DUEBREW", "DRIFTWOOD" ] }, "related": [ { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "80f87001-ff40-4e33-bd12-12ed1a92d1d7", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", "value": "RawPOS - S0169" }, { "description": "[Hornbill](https://attack.mitre.org/software/S1077) is one of two mobile malware families known to be used by the APT [Confucius](https://attack.mitre.org/groups/G0142). Analysis suggests that [Hornbill](https://attack.mitre.org/software/S1077) was first active in early 2018. While [Hornbill](https://attack.mitre.org/software/S1077) and [Sunbird](https://attack.mitre.org/software/S1082) overlap in core capabilities, [Hornbill](https://attack.mitre.org/software/S1077) has tools and behaviors suggesting more passive reconnaissance.(Citation: lookout_hornbill_sunbird_0221)", "meta": { "external_id": "S1077", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S1077", "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" ], "synonyms": [ "Hornbill" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "24a77e53-0751-46fc-b207-99378fb35c08", "type": "uses" }, { "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "type": "uses" }, { "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "type": "uses" }, { "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc", "type": "uses" }, { "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "type": "uses" }, { "dest-uuid": "be63612f-a48f-44f2-a7a6-1763509fcf80", "type": "uses" }, { "dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" } ], "uuid": "15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "value": "Hornbill - S1077" }, { "description": "[Daserf](https://attack.mitre.org/software/S0187) is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. (Citation: Trend Micro Daserf Nov 2017) (Citation: Secureworks BRONZE BUTLER Oct 2017)", "meta": { "external_id": "S0187", "mitre_platforms": [ "Windows" ], "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", "https://attack.mitre.org/software/S0187", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" ], "synonyms": [ "Daserf", "Muirim", "Nioupale" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "70f6c71f-bc0c-4889-86e3-ef04e5b8415b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235", "type": "uses" } ], "uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", "value": "Daserf - S0187" }, { "description": "[RotaJakiro](https://attack.mitre.org/software/S1078) is a 64-bit Linux backdoor used by [APT32](https://attack.mitre.org/groups/G0050). First seen in 2018, it uses a plugin architecture to extend capabilities. [RotaJakiro](https://attack.mitre.org/software/S1078) can determine it's permission level and execute according to access type (`root` or `user`).(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: netlab360 rotajakiro vs oceanlotus)", "meta": { "external_id": "S1078", "mitre_platforms": [ "Linux" ], "refs": [ "https://attack.mitre.org/software/S1078", "https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/", "https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/" ], "synonyms": [ "RotaJakiro" ] }, "related": [ { "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", "type": "uses" }, { "dest-uuid": "e0232cb0-ded5-4c2e-9dc7-2893142a5c11", "type": "uses" } ], "uuid": "08e844a8-371f-4fe3-9d1f-e056e64a7fde", "value": "RotaJakiro - S1078" }, { "description": "[Truvasys](https://attack.mitre.org/software/S0178) is first-stage malware that has been used by [PROMETHIUM](https://attack.mitre.org/groups/G0056). It is a collection of modules written in the Delphi programming language. (Citation: Microsoft Win Defender Truvasys Sep 2017) (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)", "meta": { "external_id": "S0178", "mitre_platforms": [ "Windows" ], "refs": [ "http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf", "https://attack.mitre.org/software/S0178", "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Truvasys.A!dha" ], "synonyms": [ "Truvasys" ] }, "related": [ { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" } ], "uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad", "value": "Truvasys - S0178" }, { "description": "[PUNCHTRACK](https://attack.mitre.org/software/S0197) is non-persistent point of sale (POS) system malware utilized by [FIN8](https://attack.mitre.org/groups/G0061) to scrape payment card data. (Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)", "meta": { "external_id": "S0197", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0197", "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html", "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" ], "synonyms": [ "PUNCHTRACK", "PSVC" ] }, "related": [ { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" } ], "uuid": "c4de7d83-e875-4c88-8b5d-06c41e5b7e79", "value": "PUNCHTRACK - S0197" }, { "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) is an Android malware, detected in early 2023, with surveillance and remote-control capabilities. Analysis of exfiltrated C2 data suggests that [BOULDSPY](https://attack.mitre.org/software/S1079) primarily targeted minority groups in Iran.(Citation: lookout_bouldspy_0423)", "meta": { "external_id": "S1079", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S1079", "https://www.lookout.com/blog/iranian-spyware-bouldspy" ], "synonyms": [ "BOULDSPY" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "type": "uses" }, { "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", "type": "uses" }, { "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "type": "uses" }, { "dest-uuid": "be63612f-a48f-44f2-a7a6-1763509fcf80", "type": "uses" }, { "dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d3bc5020-f6a2-41c0-8ccb-5e563101b60c", "type": "uses" }, { "dest-uuid": "d446b9f0-06a9-4a8d-97ee-298cfee84f14", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec", "type": "uses" }, { "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "type": "uses" } ], "uuid": "a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "value": "BOULDSPY - S1079" }, { "description": "[Disco](https://attack.mitre.org/software/S1088) is a custom implant that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2020 including in campaigns using targeted malicious content injection for initial access and command and control.(Citation: MoustachedBouncer ESET August 2023)", "meta": { "external_id": "S1088", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1088", "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" ], "synonyms": [ "Disco" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "43c9bc06-715b-42db-972f-52d25c09a20c", "type": "uses" }, { "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "e1445afd-c359-45ed-8f27-626dc4d5e157", "value": "Disco - S1088" }, { "description": "[Starloader](https://attack.mitre.org/software/S0188) is a loader component that has been observed loading [Felismus](https://attack.mitre.org/software/S0171) and associated tools. (Citation: Symantec Sowbug Nov 2017)", "meta": { "external_id": "S0188", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0188", "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" ], "synonyms": [ "Starloader" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" } ], "uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4", "value": "Starloader - S0188" }, { "description": "[SharpDisco](https://attack.mitre.org/software/S1089) is a dropper developed in C# that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2020 to load malicious plugins.(Citation: MoustachedBouncer ESET August 2023)", "meta": { "external_id": "S1089", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1089", "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" ], "synonyms": [ "SharpDisco" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "1fefb062-feda-484a-8f10-0cebf65e20e3", "value": "SharpDisco - S1089" }, { "description": "[NETWIRE](https://attack.mitre.org/software/S0198) is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.(Citation: FireEye APT33 Sept 2017)(Citation: McAfee Netwire Mar 2015)(Citation: FireEye APT33 Webinar Sept 2017)", "meta": { "external_id": "S0198", "mitre_platforms": [ "Windows", "Linux", "macOS" ], "refs": [ "https://attack.mitre.org/software/S0198", "https://securingtomorrow.mcafee.com/mcafee-labs/netwire-rat-behind-recent-targeted-attacks/", "https://www.brighttalk.com/webcast/10703/275683", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" ], "synonyms": [ "NETWIRE" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "84601337-6a55-4ad7-9c35-79e0d1ea2ab3", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", "type": "uses" }, { "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e0232cb0-ded5-4c2e-9dc7-2893142a5c11", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "2a70812b-f1ef-44db-8578-a496a227aef2", "value": "NETWIRE - S0198" }, { "description": "[ISMInjector](https://attack.mitre.org/software/S0189) is a Trojan used to install another [OilRig](https://attack.mitre.org/groups/G0049) backdoor, ISMAgent. (Citation: OilRig New Delivery Oct 2017)", "meta": { "external_id": "S0189", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0189", "https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/" ], "synonyms": [ "ISMInjector" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" } ], "uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324", "value": "ISMInjector - S0189" }, { "description": "[TURNEDUP](https://attack.mitre.org/software/S0199) is a non-public backdoor. It has been dropped by [APT33](https://attack.mitre.org/groups/G0064)'s [StoneDrill](https://attack.mitre.org/software/S0380) malware. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)", "meta": { "external_id": "S0199", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0199", "https://www.brighttalk.com/webcast/10703/275683", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" ], "synonyms": [ "TURNEDUP" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "fab34d66-5668-460a-bc0f-250b9417cdbf", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c", "value": "TURNEDUP - S0199" }, { "description": "[Samurai](https://attack.mitre.org/software/S1099) is a passive backdoor that has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) since at least 2020. [Samurai](https://attack.mitre.org/software/S1099) allows arbitrary C# code execution and is used with multiple modules for remote administration and lateral movement.(Citation: Kaspersky ToddyCat June 2022)", "meta": { "external_id": "S1099", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1099", "https://securelist.com/toddycat/106799/" ], "synonyms": [ "Samurai" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ea4c2f9c-9df1-477c-8c42-6da1118f2ac4", "type": "uses" } ], "uuid": "ae91fb8f-5031-4f57-9839-e3be3ed503f0", "value": "Samurai - S1099" }, { "description": "[CCBkdr](https://attack.mitre.org/software/S0222) is malware that was injected into a signed version of CCleaner and distributed from CCleaner's distribution website. (Citation: Talos CCleanup 2017) (Citation: Intezer Aurora Sept 2017)", "meta": { "external_id": "S0222", "mitre_platforms": [ "Windows" ], "refs": [ "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html", "http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/", "https://attack.mitre.org/software/S0222" ], "synonyms": [ "CCBkdr" ] }, "related": [ { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" }, { "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", "type": "uses" } ], "uuid": "b0f13390-cec7-4814-b37c-ccec01887faa", "value": "CCBkdr - S0222" }, { "description": "[POWERSTATS](https://attack.mitre.org/software/S0223) is a PowerShell-based first stage backdoor used by [MuddyWater](https://attack.mitre.org/groups/G0069). (Citation: Unit 42 MuddyWater Nov 2017)", "meta": { "external_id": "S0223", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0223", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" ], "synonyms": [ "POWERSTATS", "Powermud" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "e8545794-b98c-492b-a5b3-4b5a02682e37", "value": "POWERSTATS - S0223" }, { "description": "[HummingBad](https://attack.mitre.org/software/S0322) is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android. (Citation: ArsTechnica-HummingBad)", "meta": { "external_id": "S0322", "refs": [ "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/", "https://attack.mitre.org/software/S0322" ], "synonyms": [ "HummingBad" ] }, "related": [ { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "type": "uses" }, { "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "type": "uses" }, { "dest-uuid": "f5cacc72-f02a-42d1-a020-7a59650086bb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "c8770c81-c29f-40d2-a140-38544206b2b4", "value": "HummingBad - S0322" }, { "description": "[HOMEFRY](https://attack.mitre.org/software/S0232) is a 64-bit Windows password dumper/cracker that has previously been used in conjunction with other [Leviathan](https://attack.mitre.org/groups/G0065) backdoors. (Citation: FireEye Periscope March 2018)", "meta": { "external_id": "S0232", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0232", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" ], "synonyms": [ "HOMEFRY" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" } ], "uuid": "7451bcf9-e6e6-4a70-bc3d-1599173d0035", "value": "HOMEFRY - S0232" }, { "description": "[SynAck](https://attack.mitre.org/software/S0242) is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. (Citation: SecureList SynAck Doppelgänging May 2018) (Citation: Kaspersky Lab SynAck May 2018)", "meta": { "external_id": "S0242", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0242", "https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/", "https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging" ], "synonyms": [ "SynAck" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" } ], "uuid": "04227b24-7817-4de1-9050-b7b1b57f5866", "value": "SynAck - S0242" }, { "description": "[Anubis](https://attack.mitre.org/software/S0422) is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.(Citation: Cofense Anubis)", "meta": { "external_id": "S0422", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0422", "https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/" ], "synonyms": [ "Anubis" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "type": "uses" }, { "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", "type": "uses" }, { "dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "type": "uses" }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "type": "uses" }, { "dest-uuid": "986f80f7-ff0e-4f48-87bd-0394814bbce5", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4", "type": "uses" }, { "dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec", "type": "uses" } ], "uuid": "a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "value": "Anubis - S0422" }, { "description": "[Exobot](https://attack.mitre.org/software/S0522) is Android banking malware, primarily targeting financial institutions in Germany, Austria, and France.(Citation: Threat Fabric Exobot)", "meta": { "external_id": "S0522", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0522", "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks", "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html" ], "synonyms": [ "Exobot", "Marcher" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "1d44f529-6fe6-489f-8a01-6261ac43f05e", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, { "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "5ca3c7ec-55b2-4587-9376-cf6c96f8047a", "type": "uses" }, { "dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc", "type": "uses" }, { "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "type": "uses" } ], "uuid": "c91cec55-634c-4670-ba10-2dc7ceb28e98", "value": "Exobot - S0522" }, { "description": "[AppleSeed](https://attack.mitre.org/software/S0622) is a backdoor that has been used by [Kimsuky](https://attack.mitre.org/groups/G0094) to target South Korean government, academic, and commercial targets since at least 2021.(Citation: Malwarebytes Kimsuky June 2021)", "meta": { "external_id": "S0622", "mitre_platforms": [ "Windows", "Android" ], "refs": [ "https://attack.mitre.org/software/S0622", "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" ], "synonyms": [ "AppleSeed" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "295721d2-ee20-4fa3-ade3-37f4146b4570", "value": "AppleSeed - S0622" }, { "description": "[NDiskMonitor](https://attack.mitre.org/software/S0272) is a custom backdoor written in .NET that appears to be unique to [Patchwork](https://attack.mitre.org/groups/G0040). (Citation: TrendMicro Patchwork Dec 2017)", "meta": { "external_id": "S0272", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0272", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" ], "synonyms": [ "NDiskMonitor" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "d1183cb9-258e-4f2f-8415-50ac8252c49e", "value": "NDiskMonitor - S0272" }, { "description": "[NanHaiShu](https://attack.mitre.org/software/S0228) is a remote access tool and JScript backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065). [NanHaiShu](https://attack.mitre.org/software/S0228) has been used to target government and private-sector organizations that have relations to the South China Sea dispute. (Citation: Proofpoint Leviathan Oct 2017) (Citation: fsecure NanHaiShu July 2016)", "meta": { "external_id": "S0228", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0228", "https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf", "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" ], "synonyms": [ "NanHaiShu" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7abd6950-7a07-4d9e-ade1-62414fa50619", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "705f0783-5f7d-4491-b6b7-9628e6e006d2", "value": "NanHaiShu - S0228" }, { "description": "[MacSpy](https://attack.mitre.org/software/S0282) is a malware-as-a-service offered on the darkweb (Citation: objsee mac malware 2017).", "meta": { "external_id": "S0282", "mitre_platforms": [ "macOS" ], "refs": [ "https://attack.mitre.org/software/S0282", "https://objective-see.com/blog/blog_0x25.html" ], "synonyms": [ "MacSpy" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" } ], "uuid": "f72251cb-2be5-421f-a081-99c29a1209e7", "value": "MacSpy - S0282" }, { "description": "[AndroRAT](https://attack.mitre.org/software/S0292) is an open-source remote access tool for Android devices. [AndroRAT](https://attack.mitre.org/software/S0292) is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as sending SMS messages and taking pictures.(Citation: Lookout-EnterpriseApps)(Citation: github_androrat)(Citation: Forcepoint BITTER Pakistan Oct 2016) It is originally available through the `The404Hacking` Github repository.(Citation: github_androrat)", "meta": { "external_id": "S0292", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0292", "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/", "https://web.archive.org/web/20221013124327/https://github.com/The404Hacking/AndroRAT", "https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan" ], "synonyms": [ "AndroRAT" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "80447111-8085-40a4-a052-420926091ac6", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" } ], "uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93", "value": "AndroRAT - S0292" }, { "description": "[Orz](https://attack.mitre.org/software/S0229) is a custom JavaScript backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065). It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. (Citation: Proofpoint Leviathan Oct 2017) (Citation: FireEye Periscope March 2018)", "meta": { "external_id": "S0229", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0229", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" ], "synonyms": [ "Orz", "AIRBREAK" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "fd419da6-5c0d-461e-96ee-64397efac63b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "06d735e7-1db1-4dbe-ab4b-acbe419f902b", "value": "Orz - S0229" }, { "description": "[Charger](https://attack.mitre.org/software/S0323) is Android malware that steals steals contacts and SMS messages from the user's device. It can also lock the device and demand ransom payment if it receives admin permissions. (Citation: CheckPoint-Charger)", "meta": { "external_id": "S0323", "mitre_platforms": [ "Android" ], "refs": [ "http://blog.checkpoint.com/2017/01/24/charger-malware/", "https://attack.mitre.org/software/S0323" ], "synonyms": [ "Charger" ] }, "related": [ { "dest-uuid": "6e0545df-8df6-4990-971c-e96c4c60d561", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "type": "uses" } ], "uuid": "d1c600f8-0fb6-4367-921b-85b71947d950", "value": "Charger - S0323" }, { "description": "[MURKYTOP](https://attack.mitre.org/software/S0233) is a reconnaissance tool used by [Leviathan](https://attack.mitre.org/groups/G0065). (Citation: FireEye Periscope March 2018)", "meta": { "external_id": "S0233", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0233", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" ], "synonyms": [ "MURKYTOP" ] }, "related": [ { "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "type": "uses" } ], "uuid": "049ff071-0b3c-4712-95d2-d21c6aa54501", "value": "MURKYTOP - S0233" }, { "description": "[Bread](https://attack.mitre.org/software/S0432) was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store’s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.(Citation: Google Bread)", "meta": { "external_id": "S0432", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0432", "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html" ], "synonyms": [ "Bread", "Joker" ] }, "related": [ { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "type": "uses" }, { "dest-uuid": "51636761-2e35-44bf-9e56-e337adf97174", "type": "uses" }, { "dest-uuid": "52eff1c7-dd30-4121-b762-24ae6fa61bbb", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" } ], "uuid": "108b2817-bc01-404e-8e1b-8cdeec846326", "value": "Bread - S0432" }, { "description": "[Bandook](https://attack.mitre.org/software/S0234) is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. [Bandook](https://attack.mitre.org/software/S0234) has been used by [Dark Caracal](https://attack.mitre.org/groups/G0070), as well as in a separate campaign referred to as \"Operation Manul\".(Citation: EFF Manul Aug 2016)(Citation: Lookout Dark Caracal Jan 2018)(Citation: CheckPoint Bandook Nov 2020)", "meta": { "external_id": "S0234", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0234", "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", "https://research.checkpoint.com/2020/bandook-signed-delivered/", "https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf" ], "synonyms": [ "Bandook" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "835a79f1-842d-472d-b8f4-d54b545c341b", "value": "Bandook - S0234" }, { "description": "[DealersChoice](https://attack.mitre.org/software/S0243) is a Flash exploitation framework used by [APT28](https://attack.mitre.org/groups/G0007). (Citation: Sofacy DealersChoice)", "meta": { "external_id": "S0243", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0243", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" ], "synonyms": [ "DealersChoice" ] }, "related": [ { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "8f460983-1bbb-4e7e-8094-f0b5e720f658", "value": "DealersChoice - S0243" }, { "description": "[SpyDealer](https://attack.mitre.org/software/S0324) is Android malware that exfiltrates sensitive data from Android devices. (Citation: PaloAlto-SpyDealer)", "meta": { "external_id": "S0324", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0324", "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" ], "synonyms": [ "SpyDealer" ] }, "related": [ { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "type": "uses" }, { "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, { "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "type": "uses" } ], "uuid": "86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "value": "SpyDealer - S0324" }, { "description": "[GreyEnergy](https://attack.mitre.org/software/S0342) is a backdoor written in C and compiled in Visual Studio. [GreyEnergy](https://attack.mitre.org/software/S0342) shares similarities with the [BlackEnergy](https://attack.mitre.org/software/S0089) malware and is thought to be the successor of it.(Citation: ESET GreyEnergy Oct 2018)", "meta": { "external_id": "S0342", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0342", "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" ], "synonyms": [ "GreyEnergy" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", "type": "uses" }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "308b3d68-a084-4dfb-885a-3125e1a9c1e8", "value": "GreyEnergy - S0342" }, { "description": "[Ginp](https://attack.mitre.org/software/S0423) is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from [Anubis](https://attack.mitre.org/software/S0422).(Citation: ThreatFabric Ginp)", "meta": { "external_id": "S0423", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0423", "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" ], "synonyms": [ "Ginp" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "type": "uses" }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "type": "uses" } ], "uuid": "6146be90-470c-4049-bb3a-9986b8ffb65b", "value": "Ginp - S0423" }, { "description": "[CrossRAT](https://attack.mitre.org/software/S0235) is a cross platform RAT.", "meta": { "external_id": "S0235", "mitre_platforms": [ "Linux", "Windows", "macOS" ], "refs": [ "https://attack.mitre.org/software/S0235", "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" ], "synonyms": [ "CrossRAT" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "type": "uses" }, { "dest-uuid": "e0232cb0-ded5-4c2e-9dc7-2893142a5c11", "type": "uses" } ], "uuid": "a5e91d50-24fa-44ec-9894-39a88f658cea", "value": "CrossRAT - S0235" }, { "description": "[RunningRAT](https://attack.mitre.org/software/S0253) is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Winter Olympics along with [Gold Dragon](https://attack.mitre.org/software/S0249) and [Brave Prince](https://attack.mitre.org/software/S0252). (Citation: McAfee Gold Dragon)", "meta": { "external_id": "S0253", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0253", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" ], "synonyms": [ "RunningRAT" ] }, "related": [ { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" } ], "uuid": "60d50676-459a-47dd-92e9-a827a9fe9c58", "value": "RunningRAT - S0253" }, { "description": "[Judy](https://attack.mitre.org/software/S0325) is auto-clicking adware that was distributed through multiple apps in the Google Play Store. (Citation: CheckPoint-Judy)", "meta": { "external_id": "S0325", "refs": [ "https://attack.mitre.org/software/S0325", "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/" ] }, "related": [ { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "type": "uses" } ], "uuid": "172444ab-97fc-4d94-b142-179452bfb760", "value": "Judy - S0325" }, { "description": "[Lucifer](https://attack.mitre.org/software/S0532) is a crypto miner and DDoS hybrid malware that leverages well-known exploits to spread laterally on Windows platforms.(Citation: Unit 42 Lucifer June 2020)", "meta": { "external_id": "S0532", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0532", "https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" ], "synonyms": [ "Lucifer" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "54a73038-1937-4d71-a253-316e76d5413c", "value": "Lucifer - S0532" }, { "description": "[TYPEFRAME](https://attack.mitre.org/software/S0263) is a remote access tool that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032). (Citation: US-CERT TYPEFRAME June 2018)", "meta": { "external_id": "S0263", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0263", "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A" ], "synonyms": [ "TYPEFRAME" ] }, "related": [ { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "7ba0fc46-197d-466d-8b9f-f1c64d5d81e5", "value": "TYPEFRAME - S0263" }, { "description": "[GrimAgent](https://attack.mitre.org/software/S0632) is a backdoor that has been used before the deployment of [Ryuk](https://attack.mitre.org/software/S0446) ransomware since at least 2020; it is likely used by [FIN6](https://attack.mitre.org/groups/G0037) and [Wizard Spider](https://attack.mitre.org/groups/G0102).(Citation: Group IB GrimAgent July 2021)", "meta": { "external_id": "S0632", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0632", "https://gibnc.group-ib.com/s/Group-IB_GrimAgent_analysis#pdfviewer" ], "synonyms": [ "GrimAgent" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "type": "uses" }, { "dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade", "type": "uses" } ], "uuid": "c9b99d03-ff11-4a48-95f0-82660d582c25", "value": "GrimAgent - S0632" }, { "description": "[RedDrop](https://attack.mitre.org/software/S0326) is an Android malware family that exfiltrates sensitive data from devices. (Citation: Wandera-RedDrop)", "meta": { "external_id": "S0326", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0326", "https://www.wandera.com/reddrop-malware/" ], "synonyms": [ "RedDrop" ] }, "related": [ { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "type": "uses" }, { "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "type": "uses" }, { "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "type": "uses" }, { "dest-uuid": "be63612f-a48f-44f2-a7a6-1763509fcf80", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" } ], "uuid": "9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "value": "RedDrop - S0326" }, { "description": "[Kwampirs](https://attack.mitre.org/software/S0236) is a backdoor Trojan used by [Orangeworm](https://attack.mitre.org/groups/G0071). [Kwampirs](https://attack.mitre.org/software/S0236) has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines.(Citation: Symantec Orangeworm April 2018) [Kwampirs](https://attack.mitre.org/software/S0236) has multiple technical overlaps with [Shamoon](https://attack.mitre.org/software/S0140) based on reverse engineering analysis.(Citation: Cylera Kwampirs 2022)", "meta": { "external_id": "S0236", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0236", "https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf", "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" ], "synonyms": [ "Kwampirs" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, { "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" } ], "uuid": "c2417bab-3189-4d4d-9d60-96de2cdaf0ab", "value": "Kwampirs - S0236" }, { "description": "[Siloscape](https://attack.mitre.org/software/S0623) is malware that targets Kubernetes clusters through Windows containers. [Siloscape](https://attack.mitre.org/software/S0623) was first observed in March 2021.(Citation: Unit 42 Siloscape Jun 2021)", "meta": { "external_id": "S0623", "mitre_platforms": [ "Windows", "Containers" ], "refs": [ "https://attack.mitre.org/software/S0623", "https://unit42.paloaltonetworks.com/siloscape/" ], "synonyms": [ "Siloscape" ] }, "related": [ { "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "type": "uses" }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "4a5b7ade-8bb5-4853-84ed-23f262002665", "type": "uses" }, { "dest-uuid": "7b50a1d3-4ca7-45d1-989d-a6503f04bfe1", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "type": "uses" }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" } ], "uuid": "4fbd565b-bf55-4ac7-80b4-b183a7b64b9c", "value": "Siloscape - S0623" }, { "description": "[GravityRAT](https://attack.mitre.org/software/S0237) is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are \"TheMartian\" and \"The Invincible.\" According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India. (Citation: Talos GravityRAT)", "meta": { "external_id": "S0237", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0237", "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" ], "synonyms": [ "GravityRAT" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "1d1fce2f-0db5-402b-9843-4278a0694637", "value": "GravityRAT - S0237" }, { "description": "[LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)", "meta": { "external_id": "S0372", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0372", "https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/", "https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/" ], "synonyms": [ "LockerGoga" ] }, "related": [ { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "type": "uses" } ], "uuid": "5af7a825-2d9f-400d-931a-e00eb9e27f48", "value": "LockerGoga - S0372" }, { "description": "[Socksbot](https://attack.mitre.org/software/S0273) is a backdoor that abuses Socket Secure (SOCKS) proxies. (Citation: TrendMicro Patchwork Dec 2017)", "meta": { "external_id": "S0273", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0273", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" ], "synonyms": [ "Socksbot" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "e494ad79-37ee-4cd0-866b-299c521d8b94", "value": "Socksbot - S0273" }, { "description": "[Skygofree](https://attack.mitre.org/software/S0327) is Android spyware that is believed to have been developed in 2014 and used through at least 2017. (Citation: Kaspersky-Skygofree)", "meta": { "external_id": "S0327", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0327", "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/" ], "synonyms": [ "Skygofree" ] }, "related": [ { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "type": "uses" } ], "uuid": "3a913bac-4fae-4d0e-bca8-cae452f1599b", "value": "Skygofree - S0327" }, { "description": "[jRAT](https://attack.mitre.org/software/S0283) is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of [jRAT](https://attack.mitre.org/software/S0283) have been distributed via a software-as-a-service platform, similar to an online subscription model.(Citation: Kaspersky Adwind Feb 2016) (Citation: jRAT Symantec Aug 2018)", "meta": { "external_id": "S0283", "mitre_platforms": [ "Linux", "Windows", "macOS", "Android" ], "refs": [ "https://attack.mitre.org/software/S0283", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf", "https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools", "https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques" ], "synonyms": [ "jRAT", "JSocket", "AlienSpy", "Frutas", "Sockrat", "Unrecom", "jFrutas", "Adwind", "jBiFrost", "Trojan.Maljava" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", "type": "uses" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" } ], "uuid": "efece7e8-e40b-49c2-9f84-c55c5c93d05c", "value": "jRAT - S0283" }, { "description": "[ServHelper](https://attack.mitre.org/software/S0382) is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.(Citation: Proofpoint TA505 Jan 2019)", "meta": { "external_id": "S0382", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0382", "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" ], "synonyms": [ "ServHelper" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" } ], "uuid": "aae22730-e571-4d17-b037-65f2a3e26213", "value": "ServHelper - S0382" }, { "description": "[Proxysvc](https://attack.mitre.org/software/S0238) is a malicious DLL used by [Lazarus Group](https://attack.mitre.org/groups/G0032) in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of [Proxysvc](https://attack.mitre.org/software/S0238) is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. (Citation: McAfee GhostSecret)", "meta": { "external_id": "S0238", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0238", "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" ], "synonyms": [ "Proxysvc" ] }, "related": [ { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "069af411-9b24-4e85-b26c-623d035bbe84", "value": "Proxysvc - S0238" }, { "description": "[BrainTest](https://attack.mitre.org/software/S0293) is a family of Android malware. (Citation: CheckPoint-BrainTest) (Citation: Lookout-BrainTest)", "meta": { "external_id": "S0293", "refs": [ "http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/", "https://attack.mitre.org/software/S0293", "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/" ] }, "related": [ { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "type": "uses" }, { "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" } ], "uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e", "value": "BrainTest - S0293" }, { "description": "[Bankshot](https://attack.mitre.org/software/S0239) is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, [Lazarus Group](https://attack.mitre.org/groups/G0032) used the [Bankshot](https://attack.mitre.org/software/S0239) implant in attacks against the Turkish financial sector. (Citation: McAfee Bankshot)", "meta": { "external_id": "S0239", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0239", "https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" ], "synonyms": [ "Bankshot", "Trojan Manuscript" ] }, "related": [ { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", "type": "uses" }, { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "1f6e3702-7ca1-4582-b2e7-4591297d05a8", "value": "Bankshot - S0239" }, { "description": "[Tangelo](https://attack.mitre.org/software/S0329) is iOS malware that is believed to be from the same developers as the [Stealth Mango](https://attack.mitre.org/software/S0328) Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices. (Citation: Lookout-StealthMango)", "meta": { "external_id": "S0329", "mitre_platforms": [ "iOS" ], "refs": [ "https://attack.mitre.org/software/S0329", "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf" ], "synonyms": [ "Tangelo" ] }, "related": [ { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" } ], "uuid": "35aae10a-97c5-471a-9c67-02c231a7a31a", "value": "Tangelo - S0329" }, { "description": "[VBShower](https://attack.mitre.org/software/S0442) is a backdoor that has been used by [Inception](https://attack.mitre.org/groups/G0100) since at least 2019. [VBShower](https://attack.mitre.org/software/S0442) has been used as a downloader for second stage payloads, including [PowerShower](https://attack.mitre.org/software/S0441).(Citation: Kaspersky Cloud Atlas August 2019)", "meta": { "external_id": "S0442", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0442", "https://securelist.com/recent-cloud-atlas-activity/92016/" ], "synonyms": [ "VBShower" ] }, "related": [ { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "8caa18af-4758-4fd3-9600-e8af579e89ed", "value": "VBShower - S0442" }, { "description": "[Comnie](https://attack.mitre.org/software/S0244) is a remote backdoor which has been used in attacks in East Asia. (Citation: Palo Alto Comnie)", "meta": { "external_id": "S0244", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0244", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/" ], "synonyms": [ "Comnie" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" } ], "uuid": "f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e", "value": "Comnie - S0244" }, { "description": "[Triada](https://attack.mitre.org/software/S0424) was first reported in 2016 as a second stage malware. Later versions in 2019 appeared with new techniques and as an initial downloader of other Trojan apps.(Citation: Kaspersky Triada March 2016)", "meta": { "external_id": "S0424", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0424", "https://www.kaspersky.com/blog/triada-trojan/11481/" ], "synonyms": [ "Triada" ] }, "related": [ { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "type": "uses" }, { "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "9558a84e-2d5e-4872-918e-d847494a8ffc", "type": "uses" }, { "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec", "type": "uses" } ], "uuid": "f082fc59-0317-49cf-971f-a1b6296ebb52", "value": "Triada - S0424" }, { "description": "[BADCALL](https://attack.mitre.org/software/S0245) is a Trojan malware variant used by the group [Lazarus Group](https://attack.mitre.org/groups/G0032). (Citation: US-CERT BADCALL)", "meta": { "external_id": "S0245", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0245", "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF" ], "synonyms": [ "BADCALL" ] }, "related": [ { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", "type": "uses" } ], "uuid": "9dbdadb6-fdbf-490f-a35f-38762d06a0d2", "value": "BADCALL - S0245" }, { "description": "[PLAINTEE](https://attack.mitre.org/software/S0254) is a malware sample that has been used by [Rancor](https://attack.mitre.org/groups/G0075) in targeted attacks in Singapore and Cambodia. (Citation: Rancor Unit42 June 2018)", "meta": { "external_id": "S0254", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0254", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" ], "synonyms": [ "PLAINTEE" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b", "value": "PLAINTEE - S0254" }, { "description": "[USBferry](https://attack.mitre.org/software/S0452) is an information stealing malware and has been used by [Tropic Trooper](https://attack.mitre.org/groups/G0081) in targeted attacks against Taiwanese and Philippine air-gapped military environments. [USBferry](https://attack.mitre.org/software/S0452) shares an overlapping codebase with [YAHOYAH](https://attack.mitre.org/software/S0388), though it has several features which makes it a distinct piece of malware.(Citation: TrendMicro Tropic Trooper May 2020)", "meta": { "external_id": "S0452", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0452", "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" ], "synonyms": [ "USBferry" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" } ], "uuid": "75bba379-4ba1-467e-8c60-ec2b269ee984", "value": "USBferry - S0452" }, { "description": "[CARROTBAT](https://attack.mitre.org/software/S0462) is a customized dropper that has been in use since at least 2017. [CARROTBAT](https://attack.mitre.org/software/S0462) has been used to install [SYSCON](https://attack.mitre.org/software/S0464) and has infrastructure overlap with [KONNI](https://attack.mitre.org/software/S0356).(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020)", "meta": { "external_id": "S0462", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0462", "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/", "https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/" ], "synonyms": [ "CARROTBAT" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "1b9f0800-035e-4ed1-9648-b18294cc5bc8", "value": "CARROTBAT - S0462" }, { "description": "[HARDRAIN](https://attack.mitre.org/software/S0246) is a Trojan malware variant reportedly used by the North Korean government. (Citation: US-CERT HARDRAIN March 2018)", "meta": { "external_id": "S0246", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0246", "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf" ], "synonyms": [ "HARDRAIN" ] }, "related": [ { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" } ], "uuid": "bd0536d7-b081-43ae-a773-cfb057c5b988", "value": "HARDRAIN - S0246" }, { "description": "[BADFLICK](https://attack.mitre.org/software/S0642) is a backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065) in spearphishing campaigns first reported in 2018 that targeted the U.S. engineering and maritime industries.(Citation: FireEye Periscope March 2018)(Citation: Accenture MUDCARP March 2019)", "meta": { "external_id": "S0642", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0642", "https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" ], "synonyms": [ "BADFLICK" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "57d83eac-a2ea-42b0-a7b2-c80c55157790", "value": "BADFLICK - S0642" }, { "description": "[OopsIE](https://attack.mitre.org/software/S0264) is a Trojan used by [OilRig](https://attack.mitre.org/groups/G0049) to remotely execute commands as well as upload/download files to/from victims. (Citation: Unit 42 OopsIE! Feb 2018)", "meta": { "external_id": "S0264", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0264", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/" ], "synonyms": [ "OopsIE" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "8e101fdd-9f7f-4916-bb04-6bd9e94c129c", "value": "OopsIE - S0264" }, { "description": "[Ecipekac](https://attack.mitre.org/software/S0624) is a multi-layer loader that has been used by [menuPass](https://attack.mitre.org/groups/G0045) since at least 2019 including use as a loader for [P8RAT](https://attack.mitre.org/software/S0626), [SodaMaster](https://attack.mitre.org/software/S0627), and [FYAnti](https://attack.mitre.org/software/S0628).(Citation: Securelist APT10 March 2021)", "meta": { "external_id": "S0624", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0624", "https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/" ], "synonyms": [ "Ecipekac", "HEAVYHAND", "SigLoader", "DESLoader" ] }, "related": [ { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "292eb0c5-b8e8-4af6-9e8f-0fda6b4528d3", "value": "Ecipekac - S0624" }, { "description": "[NavRAT](https://attack.mitre.org/software/S0247) is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. (Citation: Talos NavRAT May 2018)", "meta": { "external_id": "S0247", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0247", "https://blog.talosintelligence.com/2018/05/navrat.html" ], "synonyms": [ "NavRAT" ] }, "related": [ { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "53a42597-1974-4b8e-84fd-3675e8992053", "value": "NavRAT - S0247" }, { "description": "[Calisto](https://attack.mitre.org/software/S0274) is a macOS Trojan that opens a backdoor on the compromised machine. [Calisto](https://attack.mitre.org/software/S0274) is believed to have first been developed in 2016. (Citation: Securelist Calisto July 2018) (Citation: Symantec Calisto July 2018)", "meta": { "external_id": "S0274", "mitre_platforms": [ "macOS" ], "refs": [ "https://attack.mitre.org/software/S0274", "https://securelist.com/calisto-trojan-for-macos/86543/", "https://web.archive.org/web/20190111082249/https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days" ], "synonyms": [ "Calisto" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "1eaebf46-e361-4437-bc23-d5d65a3b92e3", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", "type": "uses" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "810aa4ad-61c9-49cb-993f-daa06199421d", "type": "uses" }, { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "type": "uses" }, { "dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d", "type": "uses" }, { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" } ], "uuid": "b8fdef82-d2cf-4948-8949-6466357b1be1", "value": "Calisto - S0274" }, { "description": "[TrickMo](https://attack.mitre.org/software/S0427) a 2FA bypass mobile banking trojan, most likely being distributed by [TrickBot](https://attack.mitre.org/software/S0266). [TrickMo](https://attack.mitre.org/software/S0427) has been primarily targeting users located in Germany.(Citation: SecurityIntelligence TrickMo)\n\n[TrickMo](https://attack.mitre.org/software/S0427) is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.(Citation: SecurityIntelligence TrickMo) ", "meta": { "external_id": "S0427", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0427", "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/" ], "synonyms": [ "TrickMo" ] }, "related": [ { "dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, { "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", "type": "uses" }, { "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "type": "uses" }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "type": "uses" }, { "dest-uuid": "acf8fd2a-dc98-43b4-8d37-64e10728e591", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "be63612f-a48f-44f2-a7a6-1763509fcf80", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "type": "uses" } ], "uuid": "21170624-89db-4e99-bf27-58d26be07c3a", "value": "TrickMo - S0427" }, { "description": " [down_new](https://attack.mitre.org/software/S0472) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)", "meta": { "external_id": "S0472", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0472", "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" ], "synonyms": [ "down_new" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "8be7c69e-d8e3-4970-9668-61de08e508cc", "value": "down_new - S0472" }, { "description": "[PoetRAT](https://attack.mitre.org/software/S0428) is a remote access trojan (RAT) that was first identified in April 2020. [PoetRAT](https://attack.mitre.org/software/S0428) has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector. The STIBNITE activity group has been observed using the malware. [PoetRAT](https://attack.mitre.org/software/S0428) derived its name from references in the code to poet William Shakespeare. (Citation: Talos PoetRAT April 2020)(Citation: Talos PoetRAT October 2020)(Citation: Dragos Threat Report 2020)", "meta": { "external_id": "S0428", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0428", "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html", "https://blog.talosintelligence.com/2020/10/poetrat-update.html", "https://hub.dragos.com/hubfs/Year-in-Review/Dragos_2020_ICS_Cybersecurity_Year_In_Review.pdf?hsCtaTracking=159c0fc3-92d8-425d-aeb8-12824f2297e8%7Cf163726d-579b-4996-9a04-44e5a124d770" ], "synonyms": [ "PoetRAT" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" } ], "uuid": "cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c", "value": "PoetRAT - S0428" }, { "description": "[Bundlore](https://attack.mitre.org/software/S0482) is adware written for macOS that has been in use since at least 2015. Though categorized as adware, [Bundlore](https://attack.mitre.org/software/S0482) has many features associated with more traditional backdoors.(Citation: MacKeeper Bundlore Apr 2019)", "meta": { "external_id": "S0482", "mitre_platforms": [ "macOS" ], "refs": [ "https://attack.mitre.org/software/S0482", "https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/" ], "synonyms": [ "Bundlore", "OSX.Bundlore" ] }, "related": [ { "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", "type": "uses" }, { "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", "type": "uses" }, { "dest-uuid": "6b57dc31-b814-4a03-8706-28bc20d739c4", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "type": "uses" }, { "dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "7bef1b56-4870-4e74-b32a-7dd88c390c44", "value": "Bundlore - S0482" }, { "description": "[More_eggs](https://attack.mitre.org/software/S0284) is a JScript backdoor used by [Cobalt Group](https://attack.mitre.org/groups/G0080) and [FIN6](https://attack.mitre.org/groups/G0037). Its name was given based on the variable \"More_eggs\" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. (Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019)", "meta": { "external_id": "S0284", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0284", "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" ], "synonyms": [ "More_eggs", "SKID", "Terra Loader", "SpicyOmelette" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "bfd2738c-8b43-43c3-bc9f-d523c8e88bf4", "value": "More_eggs - S0284" }, { "description": "[yty](https://attack.mitre.org/software/S0248) is a modular, plugin-based malware framework. The components of the framework are written in a variety of programming languages. (Citation: ASERT Donot March 2018)", "meta": { "external_id": "S0248", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0248", "https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" ], "synonyms": [ "yty" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" } ], "uuid": "0817aaf2-afea-4c32-9285-4dcd1df5bf14", "value": "yty - S0248" }, { "description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is an auto-rooting adware family of malware for Android. The family is very similar to the other Android families known as Shedun, Shuanet, Kemoge, though it is not believed all the families were created by the same group. (Citation: Lookout-Adware)", "meta": { "external_id": "S0294", "refs": [ "https://attack.mitre.org/software/S0294", "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/" ] }, "related": [ { "dest-uuid": "0c769e82-df28-4f65-97f5-7f3d88488f2e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "type": "uses" }, { "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "type": "uses" } ], "uuid": "c80a6bef-b3ce-44d0-b113-946e93124898", "value": "ShiftyBug - S0294" }, { "description": "[CookieMiner](https://attack.mitre.org/software/S0492) is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.(Citation: Unit42 CookieMiner Jan 2019)", "meta": { "external_id": "S0492", "mitre_platforms": [ "macOS" ], "refs": [ "https://attack.mitre.org/software/S0492", "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" ], "synonyms": [ "CookieMiner" ] }, "related": [ { "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", "type": "uses" }, { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" } ], "uuid": "eedc01d5-95e6-4d21-bcd4-1121b1df4586", "value": "CookieMiner - S0492" }, { "description": "[Pay2Key](https://attack.mitre.org/software/S0556) is a ransomware written in C++ that has been used by [Fox Kitten](https://attack.mitre.org/groups/G0117) since at least July 2020 including campaigns against Israeli companies. [Pay2Key](https://attack.mitre.org/software/S0556) has been incorporated with a leak site to display stolen sensitive information to further pressure victims into payment.(Citation: ClearkSky Fox Kitten February 2020)(Citation: Check Point Pay2Key November 2020)", "meta": { "external_id": "S0556", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0556", "https://research.checkpoint.com/2020/ransomware-alert-pay2key/", "https://www.clearskysec.com/fox-kitten/" ], "synonyms": [ "Pay2Key" ] }, "related": [ { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" } ], "uuid": "77ca1aa3-280c-4b67-abaa-e8fb891a8f83", "value": "Pay2Key - S0556" }, { "description": "[DDKONG](https://attack.mitre.org/software/S0255) is a malware sample that was part of a campaign by [Rancor](https://attack.mitre.org/groups/G0075). [DDKONG](https://attack.mitre.org/software/S0255) was first seen used in February 2017. (Citation: Rancor Unit42 June 2018)", "meta": { "external_id": "S0255", "refs": [ "https://attack.mitre.org/software/S0255", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb", "value": "DDKONG - S0255" }, { "description": "[MarkiRAT](https://attack.mitre.org/software/S0652) is a remote access Trojan (RAT) compiled with Visual Studio that has been used by [Ferocious Kitten](https://attack.mitre.org/groups/G0137) since at least 2015.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "meta": { "external_id": "S0652", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0652", "https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" ], "synonyms": [ "MarkiRAT" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "type": "uses" }, { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "532c6004-b1e8-415b-9516-f7c14ba783b1", "value": "MarkiRAT - S0652" }, { "description": "\n[Cuba](https://attack.mitre.org/software/S0625) is a Windows-based ransomware family that has been used against financial institutions, technology, and logistics organizations in North and South America as well as Europe since at least December 2019.(Citation: McAfee Cuba April 2021)", "meta": { "external_id": "S0625", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0625", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf" ], "synonyms": [ "Cuba" ] }, "related": [ { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "6cd07296-14aa-403d-9229-6343d03d4752", "value": "Cuba - S0625" }, { "description": "[KGH_SPY](https://attack.mitre.org/software/S0526) is a modular suite of tools used by [Kimsuky](https://attack.mitre.org/groups/G0094) for reconnaissance, information stealing, and backdoor capabilities. [KGH_SPY](https://attack.mitre.org/software/S0526) derived its name from PDB paths and internal names found in samples containing \"KGH\".(Citation: Cybereason Kimsuky November 2020)", "meta": { "external_id": "S0526", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0526", "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" ], "synonyms": [ "KGH_SPY" ] }, "related": [ { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", "type": "uses" } ], "uuid": "8bdfe255-e658-4ddd-a11c-b854762e451d", "value": "KGH_SPY - S0526" }, { "description": "[Kazuar](https://attack.mitre.org/software/S0265) is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. (Citation: Unit 42 Kazuar May 2017)", "meta": { "external_id": "S0265", "mitre_platforms": [ "Windows", "macOS" ], "refs": [ "https://attack.mitre.org/software/S0265", "https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" ], "synonyms": [ "Kazuar" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "type": "uses" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" } ], "uuid": "536be338-e2ef-4a6b-afb6-8d5568b91eb2", "value": "Kazuar - S0265" }, { "description": "[Mosquito](https://attack.mitre.org/software/S0256) is a Win32 backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010). [Mosquito](https://attack.mitre.org/software/S0256) is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. (Citation: ESET Turla Mosquito Jan 2018)", "meta": { "external_id": "S0256", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0256", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" ], "synonyms": [ "Mosquito" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "92b55426-109f-4d93-899f-1833ce91ff90", "value": "Mosquito - S0256" }, { "description": "[SUNSPOT](https://attack.mitre.org/software/S0562) is an implant that injected the [SUNBURST](https://attack.mitre.org/software/S0559) backdoor into the SolarWinds Orion software update framework. It was used by [APT29](https://attack.mitre.org/groups/G0016) since at least February 2020.(Citation: CrowdStrike SUNSPOT Implant January 2021) ", "meta": { "external_id": "S0562", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0562", "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" ], "synonyms": [ "SUNSPOT" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "type": "uses" } ], "uuid": "bf48e7f8-752c-4ce8-bf8f-748edacd8fa6", "value": "SUNSPOT - S0562" }, { "description": "[UPPERCUT](https://attack.mitre.org/software/S0275) is a backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045). (Citation: FireEye APT10 Sept 2018)", "meta": { "external_id": "S0275", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0275", "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" ], "synonyms": [ "UPPERCUT", "ANEL" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa", "value": "UPPERCUT - S0275" }, { "description": "[VERMIN](https://attack.mitre.org/software/S0257) is a remote access tool written in the Microsoft .NET framework. It is mostly composed of original code, but also has some open source code. (Citation: Unit 42 VERMIN Jan 2018)", "meta": { "external_id": "S0257", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0257", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/" ], "synonyms": [ "VERMIN" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "5189f018-fea2-45d7-b0ed-23f9ee0a46f3", "value": "VERMIN - S0257" }, { "description": "[LookBack](https://attack.mitre.org/software/S0582) is a remote access trojan written in C++ that was used against at least three US utility companies in July 2019. The TALONITE activity group has been observed using [LookBack](https://attack.mitre.org/software/S0582).(Citation: Proofpoint LookBack Malware Aug 2019)(Citation: Dragos TALONITE)(Citation: Dragos Threat Report 2020)", "meta": { "external_id": "S0582", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0582", "https://hub.dragos.com/hubfs/Year-in-Review/Dragos_2020_ICS_Cybersecurity_Year_In_Review.pdf?hsCtaTracking=159c0fc3-92d8-425d-aeb8-12824f2297e8%7Cf163726d-579b-4996-9a04-44e5a124d770", "https://www.dragos.com/threat/talonite/", "https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks" ], "synonyms": [ "LookBack" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "type": "uses" } ], "uuid": "c9ccc4df-1f56-49e7-ad57-b383e1451688", "value": "LookBack - S0582" }, { "description": "[OldBoot](https://attack.mitre.org/software/S0285) is an Android malware family. (Citation: HackerNews-OldBoot)", "meta": { "external_id": "S0285", "refs": [ "http://thehackernews.com/2014/01/first-widely-distributed-android.html", "https://attack.mitre.org/software/S0285" ] }, "related": [ { "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", "type": "uses" } ], "uuid": "2074b2ad-612e-4758-adce-7901c1b49bbc", "value": "OldBoot - S0285" }, { "description": "[RGDoor](https://attack.mitre.org/software/S0258) is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. [RGDoor](https://attack.mitre.org/software/S0258) has been seen deployed on webservers belonging to the Middle East government organizations. [RGDoor](https://attack.mitre.org/software/S0258) provides backdoor access to compromised IIS servers. (Citation: Unit 42 RGDoor Jan 2018)", "meta": { "external_id": "S0258", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0258", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" ], "synonyms": [ "RGDoor" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "b9eec47e-98f4-4b3c-b574-3fa8a87ebe05", "value": "RGDoor - S0258" }, { "description": "[Javali](https://attack.mitre.org/software/S0528) is a banking trojan that has targeted Portuguese and Spanish-speaking countries since 2017, primarily focusing on customers of financial institutions in Brazil and Mexico.(Citation: Securelist Brazilian Banking Malware July 2020)", "meta": { "external_id": "S0528", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0528", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" ], "synonyms": [ "Javali" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" } ], "uuid": "64122557-5940-4271-9123-25bfc0c693db", "value": "Javali - S0528" }, { "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) is Android malware. (Citation: TrendMicro-RCSAndroid)", "meta": { "external_id": "S0295", "mitre_platforms": [ "Android" ], "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/", "https://attack.mitre.org/software/S0295" ], "synonyms": [ "RCSAndroid" ] }, "related": [ { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "type": "uses" } ], "uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "value": "RCSAndroid - S0295" }, { "description": "[InnaputRAT](https://attack.mitre.org/software/S0259) is a remote access tool that can exfiltrate files from a victim’s machine. [InnaputRAT](https://attack.mitre.org/software/S0259) has been seen out in the wild since 2016. (Citation: ASERT InnaputRAT April 2018)", "meta": { "external_id": "S0259", "mitre_platforms": [ "Windows" ], "refs": [ "https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/", "https://attack.mitre.org/software/S0259" ], "synonyms": [ "InnaputRAT" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" } ], "uuid": "c8b6cc43-ce61-42ae-87f3-a5f10526f952", "value": "InnaputRAT - S0259" }, { "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) is one of a family of four surveillanceware tools that share a common C2 infrastructure. [CarbonSteal](https://attack.mitre.org/software/S0529) primarily deals with audio surveillance. (Citation: Lookout Uyghur Campaign)", "meta": { "external_id": "S0529", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0529", "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" ], "synonyms": [ "CarbonSteal" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "type": "uses" }, { "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", "type": "uses" }, { "dest-uuid": "52eff1c7-dd30-4121-b762-24ae6fa61bbb", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "type": "uses" } ], "uuid": "007ebf84-4e14-44c7-a5aa-151d5de85320", "value": "CarbonSteal - S0529" }, { "description": "[P8RAT](https://attack.mitre.org/software/S0626) is a fileless malware used by [menuPass](https://attack.mitre.org/groups/G0045) to download and execute payloads since at least 2020.(Citation: Securelist APT10 March 2021)", "meta": { "external_id": "S0626", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0626", "https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/" ], "synonyms": [ "P8RAT", "HEAVYPOT", "GreetCake" ] }, "related": [ { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade", "type": "uses" } ], "uuid": "7c58fff0-d206-4db1-96b1-e3a9e0e320b9", "value": "P8RAT - S0626" }, { "description": "[TrickBot](https://attack.mitre.org/software/S0266) is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to [Dyre](https://attack.mitre.org/software/S0024). [TrickBot](https://attack.mitre.org/software/S0266) was developed and initially used by [Wizard Spider](https://attack.mitre.org/groups/G0102) for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of \"big game hunting\" ransomware campaigns.(Citation: S2 Grupo TrickBot June 2017)(Citation: Fidelis TrickBot Oct 2016)(Citation: IBM TrickBot Nov 2016)(Citation: CrowdStrike Wizard Spider October 2020)", "meta": { "external_id": "S0266", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0266", "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/", "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/", "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Totbrick", "https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_trickload.n" ], "synonyms": [ "TrickBot", "Totbrick", "TSPY_TRICKLOAD" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01327cde-66c4-4123-bf34-5f258d59457b", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "type": "uses" }, { "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", "type": "uses" }, { "dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "4bc31b94-045b-4752-8920-aebaebdb6470", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", "type": "uses" }, { "dest-uuid": "f5bb433e-bdf6-4781-84bc-35e97e43be89", "type": "uses" } ], "uuid": "00806466-754d-44ea-ad6f-0caf59cb8556", "value": "TrickBot - S0266" }, { "description": "[RCSession](https://attack.mitre.org/software/S0662) is a backdoor written in C++ that has been in use since at least 2018 by [Mustang Panda](https://attack.mitre.org/groups/G0129) and by [Threat Group-3390](https://attack.mitre.org/groups/G0027) (Type II Backdoor).(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Trend Micro Iron Tiger April 2021)(Citation: Trend Micro DRBControl February 2020)", "meta": { "external_id": "S0662", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0662", "https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf", "https://www.secureworks.com/research/bronze-president-targets-ngos", "https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" ], "synonyms": [ "RCSession" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "03acae53-9b98-46f6-b204-16b930839055", "value": "RCSession - S0662" }, { "description": "[FELIXROOT](https://attack.mitre.org/software/S0267) is a backdoor that has been used to target Ukrainian victims. (Citation: FireEye FELIXROOT July 2018)", "meta": { "external_id": "S0267", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0267", "https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html", "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" ], "synonyms": [ "FELIXROOT", "GreyEnergy mini" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "cf8df906-179c-4a78-bd6e-6605e30f6624", "value": "FELIXROOT - S0267" }, { "description": "This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor (Citation: OSX Keydnap malware).", "meta": { "external_id": "S0276", "mitre_platforms": [ "macOS" ], "refs": [ "https://attack.mitre.org/software/S0276", "https://objective-see.org/blog/blog_0x16.html", "https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/" ], "synonyms": [ "Keydnap", "OSX/Keydnap" ] }, "related": [ { "dest-uuid": "1a80d097-54df-41d8-9d33-34e755ec5e72", "type": "uses" }, { "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", "type": "uses" }, { "dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d", "type": "uses" }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, { "dest-uuid": "b22e5153-ac28-4cc6-865c-2054e36285cb", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e51137a5-1cdc-499e-911a-abaedaa5ac86", "type": "uses" } ], "uuid": "4b072c90-bc7a-432b-940e-016fc1c01761", "value": "Keydnap - S0276" }, { "description": "[SodaMaster](https://attack.mitre.org/software/S0627) is a fileless malware used by [menuPass](https://attack.mitre.org/groups/G0045) to download and execute payloads since at least 2020.(Citation: Securelist APT10 March 2021)", "meta": { "external_id": "S0627", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0627", "https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/" ], "synonyms": [ "SodaMaster", "DARKTOWN", "dfls", "DelfsCake" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "94d6d788-07bb-4dcc-b62f-e02626b00108", "value": "SodaMaster - S0627" }, { "description": "[Zox](https://attack.mitre.org/software/S0672) is a remote access tool that has been used by [Axiom](https://attack.mitre.org/groups/G0001) since at least 2008.(Citation: Novetta-Axiom)", "meta": { "external_id": "S0672", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0672", "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf" ], "synonyms": [ "Zox", "Gresim", "ZoxRPC", "ZoxPNG" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235", "type": "uses" } ], "uuid": "fb28627c-d6ea-4c35-b138-ab5e96ae5445", "value": "Zox - S0672" }, { "description": "OBAD is an Android malware family. (Citation: TrendMicro-Obad)", "meta": { "external_id": "S0286", "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/", "https://attack.mitre.org/software/S0286" ] }, "related": [ { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "type": "uses" } ], "uuid": "ca4f63b9-a358-4214-bb26-8c912318cfde", "value": "OBAD - S0286" }, { "description": "[FYAnti](https://attack.mitre.org/software/S0628) is a loader that has been used by [menuPass](https://attack.mitre.org/groups/G0045) since at least 2020, including to deploy [QuasarRAT](https://attack.mitre.org/software/S0262).(Citation: Securelist APT10 March 2021)", "meta": { "external_id": "S0628", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0628", "https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/" ], "synonyms": [ "FYAnti", "DILLJUICE stage2" ] }, "related": [ { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "434ba392-ebdc-488b-b1ef-518deea65774", "value": "FYAnti - S0628" }, { "description": "[TrailBlazer](https://attack.mitre.org/software/S0682) is a modular malware that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2019.(Citation: CrowdStrike StellarParticle January 2022)", "meta": { "external_id": "S0682", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0682", "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" ], "synonyms": [ "TrailBlazer" ] }, "related": [ { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "type": "uses" }, { "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade", "type": "uses" } ], "uuid": "bdad6f3b-de88-42fa-9295-d29b5271808e", "value": "TrailBlazer - S0682" }, { "description": "[Bisonal](https://attack.mitre.org/software/S0268) is a remote access tool (RAT) that has been used by [Tonto Team](https://attack.mitre.org/groups/G0131) against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020)", "meta": { "external_id": "S0268", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0268", "https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/" ], "synonyms": [ "Bisonal" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", "type": "uses" }, { "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "65ffc206-d7c1-45b3-b543-f6b726e7840d", "value": "Bisonal - S0268" }, { "description": "[QUADAGENT](https://attack.mitre.org/software/S0269) is a PowerShell backdoor used by [OilRig](https://attack.mitre.org/groups/G0049). (Citation: Unit 42 QUADAGENT July 2018)", "meta": { "external_id": "S0269", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0269", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" ], "synonyms": [ "QUADAGENT" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" } ], "uuid": "7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77", "value": "QUADAGENT - S0269" }, { "description": "[RainyDay](https://attack.mitre.org/software/S0629) is a backdoor tool that has been used by [Naikon](https://attack.mitre.org/groups/G0019) since at least 2020.(Citation: Bitdefender Naikon April 2021)", "meta": { "external_id": "S0629", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0629", "https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" ], "synonyms": [ "RainyDay" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" } ], "uuid": "29231689-5837-4a7a-aafc-1b65b3f50cc7", "value": "RainyDay - S0629" }, { "description": "FruitFly is designed to spy on mac users (Citation: objsee mac malware 2017).", "meta": { "external_id": "S0277", "mitre_platforms": [ "macOS" ], "refs": [ "https://attack.mitre.org/software/S0277", "https://objective-see.com/blog/blog_0x25.html" ], "synonyms": [ "FruitFly" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" } ], "uuid": "4a98e44a-bd52-461e-af1e-a4457de87a36", "value": "FruitFly - S0277" }, { "description": "[ZergHelper](https://attack.mitre.org/software/S0287) is iOS riskware that was unique due to its apparent evasion of Apple's App Store review process. No malicious functionality was identified in the app, but it presents security risks. (Citation: Xiao-ZergHelper)", "meta": { "external_id": "S0287", "refs": [ "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/", "https://attack.mitre.org/software/S0287" ] }, "related": [ { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" } ], "uuid": "3c3b55a6-c3e9-4043-8aae-283fe96220c0", "value": "ZergHelper - S0287" }, { "description": "[iKitten](https://attack.mitre.org/software/S0278) is a macOS exfiltration agent (Citation: objsee mac malware 2017).", "meta": { "external_id": "S0278", "mitre_platforms": [ "macOS" ], "refs": [ "https://attack.mitre.org/software/S0278", "https://objective-see.com/blog/blog_0x25.html" ], "synonyms": [ "iKitten", "OSX/MacDownloader" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "1eaebf46-e361-4437-bc23-d5d65a3b92e3", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d", "type": "uses" }, { "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" } ], "uuid": "2cfe8a26-5be7-4a09-8915-ea3d9e787513", "value": "iKitten - S0278" }, { "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) is iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users. (Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)", "meta": { "external_id": "S0297", "refs": [ "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/", "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/", "https://attack.mitre.org/software/S0297" ] }, "related": [ { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", "type": "uses" }, { "dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692", "type": "uses" } ], "uuid": "d9e07aea-baad-4b68-bdca-90c77647d7f9", "value": "XcodeGhost - S0297" }, { "description": "[Proton](https://attack.mitre.org/software/S0279) is a macOS backdoor focusing on data theft and credential access (Citation: objsee mac malware 2017).", "meta": { "external_id": "S0279", "mitre_platforms": [ "macOS" ], "refs": [ "https://attack.mitre.org/software/S0279", "https://objective-see.com/blog/blog_0x25.html" ], "synonyms": [ "Proton" ] }, "related": [ { "dest-uuid": "01327cde-66c4-4123-bf34-5f258d59457b", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", "type": "uses" }, { "dest-uuid": "1eaebf46-e361-4437-bc23-d5d65a3b92e3", "type": "uses" }, { "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", "type": "uses" }, { "dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" } ], "uuid": "c541efb4-e7b1-4ad6-9da8-b4e113f5dd42", "value": "Proton - S0279" }, { "description": "[KeyRaider](https://attack.mitre.org/software/S0288) is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. (Citation: Xiao-KeyRaider)", "meta": { "external_id": "S0288", "refs": [ "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/", "https://attack.mitre.org/software/S0288" ] }, "related": [ { "dest-uuid": "08e22979-d320-48ed-8711-e7bf94aabb13", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" } ], "uuid": "3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", "value": "KeyRaider - S0288" }, { "description": "[NotCompatible](https://attack.mitre.org/software/S0299) is an Android malware family that was used between at least 2014 and 2016. It has multiple variants that have become more sophisticated over time. (Citation: Lookout-NotCompatible)", "meta": { "external_id": "S0299", "refs": [ "https://attack.mitre.org/software/S0299", "https://blog.lookout.com/blog/2014/11/19/notcompatible/" ] }, "related": [ { "dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d", "type": "uses" } ], "uuid": "23040c15-e7d8-47b5-8c16-8fd3e0e297fe", "value": "NotCompatible - S0299" }, { "description": "[UBoatRAT](https://attack.mitre.org/software/S0333) is a remote access tool that was identified in May 2017.(Citation: PaloAlto UBoatRAT Nov 2017)", "meta": { "external_id": "S0333", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0333", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/" ], "synonyms": [ "UBoatRAT" ] }, "related": [ { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "518bb5f1-91f4-4ff2-b09d-5a94e1ebe95f", "value": "UBoatRAT - S0333" }, { "description": "[DarkComet](https://attack.mitre.org/software/S0334) is a Windows remote administration tool and backdoor.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018)", "meta": { "external_id": "S0334", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0334", "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET" ], "synonyms": [ "DarkComet", "DarkKomet", "Fynloski", "Krademok", "FYNLOS" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" } ], "uuid": "53ab35c2-d00e-491a-8753-41d35ae7e547", "value": "DarkComet - S0334" }, { "description": "[Rifdoor](https://attack.mitre.org/software/S0433) is a remote access trojan (RAT) that shares numerous code similarities with [HotCroissant](https://attack.mitre.org/software/S0431).(Citation: Carbon Black HotCroissant April 2020)", "meta": { "external_id": "S0433", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0433", "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" ], "synonyms": [ "Rifdoor" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" } ], "uuid": "44c75271-0e4d-496f-ae0a-a6d883a42a65", "value": "Rifdoor - S0433" }, { "description": "[SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) is a remote access Trojan written in C++ that has been used by an unidentified \"sophisticated cyber actor\" since at least January 2017.(Citation: CISA MAR SLOTHFULMEDIA October 2020)(Citation: Costin Raiu IAmTheKing October 2020) It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.(Citation: USCYBERCOM SLOTHFULMEDIA October 2020)(Citation: Kaspersky IAmTheKing October 2020) \n\nIn October 2020, Kaspersky Labs assessed [SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) is part of an activity cluster it refers to as \"IAmTheKing\".(Citation: Kaspersky IAmTheKing October 2020) ESET also noted code similarity between [SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) and droppers used by a group it refers to as \"PowerPool\".(Citation: ESET PowerPool Code October 2020) ", "meta": { "external_id": "S0533", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0533", "https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/", "https://twitter.com/CNMF_CyberAlert/status/1311743710997159953", "https://twitter.com/ESETresearch/status/1311762215490461696", "https://twitter.com/craiu/status/1311920398259367942", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a" ], "synonyms": [ "SLOTHFULMEDIA", "JackOfHearts", "QueenOfClubs" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" } ], "uuid": "feb2d7bb-aacb-48df-ad04-ccf41a30cd90", "value": "SLOTHFULMEDIA - S0533" }, { "description": "[Carbon](https://attack.mitre.org/software/S0335) is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. [Carbon](https://attack.mitre.org/software/S0335) has been selectively used by [Turla](https://attack.mitre.org/groups/G0010) to target government and foreign affairs-related organizations in Central Asia.(Citation: ESET Carbon Mar 2017)(Citation: Securelist Turla Oct 2018)", "meta": { "external_id": "S0335", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0335", "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" ], "synonyms": [ "Carbon" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" } ], "uuid": "b7e9880a-7a7c-4162-bddb-e28e8ef2bf1f", "value": "Carbon - S0335" }, { "description": "[NOKKI](https://attack.mitre.org/software/S0353) is a modular remote access tool. The earliest observed attack using [NOKKI](https://attack.mitre.org/software/S0353) was in January 2018. [NOKKI](https://attack.mitre.org/software/S0353) has significant code overlap with the [KONNI](https://attack.mitre.org/software/S0356) malware family. There is some evidence potentially linking [NOKKI](https://attack.mitre.org/software/S0353) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)", "meta": { "external_id": "S0353", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0353", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/", "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" ], "synonyms": [ "NOKKI" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", "type": "uses" } ], "uuid": "071d5d65-83ec-4a55-acfa-be7d5f28ba9a", "value": "NOKKI - S0353" }, { "description": "[NanoCore](https://attack.mitre.org/software/S0336) is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013.(Citation: DigiTrust NanoCore Jan 2017)(Citation: Cofense NanoCore Mar 2018)(Citation: PaloAlto NanoCore Feb 2016)(Citation: Unit 42 Gorgon Group Aug 2018)", "meta": { "external_id": "S0336", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0336", "https://cofense.com/nanocore-rat-resurfaced-sewers/", "https://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://www.digitrustgroup.com/nanocore-not-your-average-rat/" ], "synonyms": [ "NanoCore" ] }, "related": [ { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676", "value": "NanoCore - S0336" }, { "description": "[Astaroth](https://attack.mitre.org/software/S0373) is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. (Citation: Cybereason Astaroth Feb 2019)(Citation: Cofense Astaroth Sept 2018)(Citation: Securelist Brazilian Banking Malware July 2020)", "meta": { "external_id": "S0373", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0373", "https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research" ], "synonyms": [ "Astaroth", "Guildma" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", "type": "uses" }, { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" } ], "uuid": "edb24a93-1f7a-4bbf-a738-1397a14662c6", "value": "Astaroth - S0373" }, { "description": "[BadPatch](https://attack.mitre.org/software/S0337) is a Windows Trojan that was used in a Gaza Hackers-linked campaign.(Citation: Unit 42 BadPatch Oct 2017)", "meta": { "external_id": "S0337", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0337", "https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/" ], "synonyms": [ "BadPatch" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "9af05de0-bc09-4511-a350-5eb8b06185c1", "value": "BadPatch - S0337" }, { "description": "[FlawedGrace](https://attack.mitre.org/software/S0383) is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.(Citation: Proofpoint TA505 Jan 2019)", "meta": { "external_id": "S0383", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0383", "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" ], "synonyms": [ "FlawedGrace" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" } ], "uuid": "43155329-3edf-47a6-9a14-7dac899b01e4", "value": "FlawedGrace - S0383" }, { "description": "[Micropsia](https://attack.mitre.org/software/S0339) is a remote access tool written in Delphi.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)", "meta": { "external_id": "S0339", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0339", "https://blog.radware.com/security/2018/07/micropsia-malware/", "https://blog.talosintelligence.com/2017/06/palestine-delphi.html" ], "synonyms": [ "Micropsia" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" } ], "uuid": "8c050cea-86e1-4b63-bf21-7af4fa483349", "value": "Micropsia - S0339" }, { "description": "[PowerStallion](https://attack.mitre.org/software/S0393) is a lightweight [PowerShell](https://attack.mitre.org/techniques/T1059/001) backdoor used by [Turla](https://attack.mitre.org/groups/G0010), possibly as a recovery access tool to install other backdoors.(Citation: ESET Turla PowerShell May 2019)", "meta": { "external_id": "S0393", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0393", "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" ], "synonyms": [ "PowerStallion" ] }, "related": [ { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" } ], "uuid": "dcac85c1-6485-4790-84f6-de5e6f6b91dd", "value": "PowerStallion - S0393" }, { "description": "[MESSAGETAP](https://attack.mitre.org/software/S0443) is a data mining malware family deployed by [APT41](https://attack.mitre.org/groups/G0096) into telecommunications networks to monitor and save SMS traffic from specific phone numbers, IMSI numbers, or that contain specific keywords. (Citation: FireEye MESSAGETAP October 2019)", "meta": { "external_id": "S0443", "mitre_platforms": [ "Linux" ], "refs": [ "https://attack.mitre.org/software/S0443", "https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html" ], "synonyms": [ "MESSAGETAP" ] }, "related": [ { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" } ], "uuid": "9b19d6b4-cfcb-492f-8ca8-8449e7331573", "value": "MESSAGETAP - S0443" }, { "description": "[Azorult](https://attack.mitre.org/software/S0344) is a commercial Trojan that is used to steal information from compromised hosts. [Azorult](https://attack.mitre.org/software/S0344) has been observed in the wild as early as 2016.\nIn July 2018, [Azorult](https://attack.mitre.org/software/S0344) was seen used in a spearphishing campaign against targets in North America. [Azorult](https://attack.mitre.org/software/S0344) has been seen used for cryptocurrency theft. (Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)", "meta": { "external_id": "S0344", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0344", "https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" ], "synonyms": [ "Azorult" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "f9b05f33-d45d-4e4d-aafe-c208d38a0080", "value": "Azorult - S0344" }, { "description": "[PLEAD](https://attack.mitre.org/software/S0435) is a remote access tool (RAT) and downloader used by [BlackTech](https://attack.mitre.org/groups/G0098) in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.(Citation: TrendMicro BlackTech June 2017)(Citation: JPCert PLEAD Downloader June 2018) [PLEAD](https://attack.mitre.org/software/S0435) has also been referred to as [TSCookie](https://attack.mitre.org/software/S0436), though more recent reporting indicates likely separation between the two. [PLEAD](https://attack.mitre.org/software/S0435) was observed in use as early as March 2017.(Citation: JPCert TSCookie March 2018)(Citation: JPCert PLEAD Downloader June 2018)", "meta": { "external_id": "S0435", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0435", "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/", "https://blog.trendmicro.com/trendlabs-security-intelligence/plead-targeted-attacks-against-taiwanese-government-agencies-2/", "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html" ], "synonyms": [ "PLEAD" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade", "type": "uses" } ], "uuid": "b57f419e-8b12-49d3-886b-145383725dcd", "value": "PLEAD - S0435" }, { "description": "[Bazar](https://attack.mitre.org/software/S0534) is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. [Bazar](https://attack.mitre.org/software/S0534) reportedly has ties to [TrickBot](https://attack.mitre.org/software/S0266) campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.(Citation: Cybereason Bazar July 2020)", "meta": { "external_id": "S0534", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0534", "https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/", "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", "https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" ], "synonyms": [ "Bazar", "KEGTAP", "Team9", "Bazaloader" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" }, { "dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", "type": "uses" }, { "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ea4c2f9c-9df1-477c-8c42-6da1118f2ac4", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "99fdf3b4-96ef-4ab9-b191-fc683441cad0", "value": "Bazar - S0534" }, { "description": "[Denis](https://attack.mitre.org/software/S0354) is a Windows backdoor and Trojan used by [APT32](https://attack.mitre.org/groups/G0050). [Denis](https://attack.mitre.org/software/S0354) shares several similarities to the [SOUNDBITE](https://attack.mitre.org/software/S0157) backdoor and has been used in conjunction with the [Goopy](https://attack.mitre.org/software/S0477) backdoor.(Citation: Cybereason Oceanlotus May 2017)", "meta": { "external_id": "S0354", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0354", "https://www.cybereason.com/blog/operation-cobalt-kitty-apt" ], "synonyms": [ "Denis" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "f25aab1a-0cef-4910-a85d-bb38b32ea41a", "value": "Denis - S0354" }, { "description": "[Pony](https://attack.mitre.org/software/S0453) is a credential stealing malware, though has also been used among adversaries for its downloader capabilities. The source code for Pony Loader 1.0 and 2.0 were leaked online, leading to their use by various threat actors.(Citation: Malwarebytes Pony April 2016)", "meta": { "external_id": "S0453", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0453", "https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/" ], "synonyms": [ "Pony" ] }, "related": [ { "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "222ba512-32d9-49ac-aefd-50ce981ce2ce", "value": "Pony - S0453" }, { "description": "[Seasalt](https://attack.mitre.org/software/S0345) is malware that has been linked to [APT1](https://attack.mitre.org/groups/G0006)'s 2010 operations. It shares some code similarities with [OceanSalt](https://attack.mitre.org/software/S0346).(Citation: Mandiant APT1 Appendix)(Citation: McAfee Oceansalt Oct 2018)", "meta": { "external_id": "S0345", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0345", "https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf" ], "synonyms": [ "Seasalt" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "b45747dc-87ca-4597-a245-7e16a61bc491", "value": "Seasalt - S0345" }, { "description": "\n[Spark](https://attack.mitre.org/software/S0543) is a Windows backdoor and has been in use since as early as 2017.(Citation: Unit42 Molerat Mar 2020) ", "meta": { "external_id": "S0543", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0543", "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" ], "synonyms": [ "Spark" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "91541e7e-b969-40c6-bbd8-1b5352ec2938", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "03ea629c-517a-41e3-94f8-c7e5368cf8f4", "value": "Spark - S0543" }, { "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) is spyware that has been used by the group Evil Eye.(Citation: Volexity Insomnia)", "meta": { "external_id": "S0463", "mitre_platforms": [ "iOS" ], "refs": [ "https://attack.mitre.org/software/S0463", "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/" ], "synonyms": [ "INSOMNIA" ] }, "related": [ { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "type": "uses" }, { "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", "type": "uses" }, { "dest-uuid": "8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "type": "uses" }, { "dest-uuid": "948a447c-d783-4ba0-8516-a64140fcacd5", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "be63612f-a48f-44f2-a7a6-1763509fcf80", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", "type": "uses" } ], "uuid": "21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "value": "INSOMNIA - S0463" }, { "description": "[TSCookie](https://attack.mitre.org/software/S0436) is a remote access tool (RAT) that has been used by [BlackTech](https://attack.mitre.org/groups/G0098) in campaigns against Japanese targets.(Citation: JPCert TSCookie March 2018)(Citation: JPCert BlackTech Malware September 2019). [TSCookie](https://attack.mitre.org/software/S0436) has been referred to as [PLEAD](https://attack.mitre.org/software/S0435) though more recent reporting indicates a separation between the two.(Citation: JPCert PLEAD Downloader June 2018)(Citation: JPCert BlackTech Malware September 2019)", "meta": { "external_id": "S0436", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0436", "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html", "https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html" ], "synonyms": [ "TSCookie" ] }, "related": [ { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "76ac7989-c5cc-42e2-93e3-d6c476f01ace", "value": "TSCookie - S0436" }, { "description": "[EnvyScout](https://attack.mitre.org/software/S0634) is a dropper that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)", "meta": { "external_id": "S0634", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0634", "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" ], "synonyms": [ "EnvyScout" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", "type": "uses" }, { "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d4dc46e3-5ba5-45b9-8204-010867cacfcb", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" } ], "uuid": "2f8229dc-da94-41c6-89ba-b5b6c32f6b7d", "value": "EnvyScout - S0634" }, { "description": "[OceanSalt](https://attack.mitre.org/software/S0346) is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. [OceanSalt](https://attack.mitre.org/software/S0346) shares code similarity with [SpyNote RAT](https://attack.mitre.org/software/S0305), which has been linked to [APT1](https://attack.mitre.org/groups/G0006).(Citation: McAfee Oceansalt Oct 2018)", "meta": { "external_id": "S0346", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0346", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf" ], "synonyms": [ "OceanSalt" ] }, "related": [ { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" } ], "uuid": "288fa242-e894-4c7e-ac86-856deedf5cea", "value": "OceanSalt - S0346" }, { "description": "[Peppy](https://attack.mitre.org/software/S0643) is a Python-based remote access Trojan, active since at least 2012, with similarities to [Crimson](https://attack.mitre.org/software/S0115).(Citation: Proofpoint Operation Transparent Tribe March 2016)", "meta": { "external_id": "S0643", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0643", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" ], "synonyms": [ "Peppy" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "6c2550d5-a01a-4bbb-a004-6ead348ba623", "value": "Peppy - S0643" }, { "description": "[AuditCred](https://attack.mitre.org/software/S0347) is a malicious DLL that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) during their 2018 attacks.(Citation: TrendMicro Lazarus Nov 2018)", "meta": { "external_id": "S0347", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0347", "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/" ], "synonyms": [ "AuditCred", "Roptimizer" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "24b4ce59-eaac-4c8b-8634-9b093b7ccd92", "value": "AuditCred - S0347" }, { "description": "[Avenger](https://attack.mitre.org/software/S0473) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)", "meta": { "external_id": "S0473", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0473", "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" ], "synonyms": [ "Avenger" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "36ede314-7db4-4d09-b53d-81bbfbe5f6f8", "value": "Avenger - S0473" }, { "description": "[Kivars](https://attack.mitre.org/software/S0437) is a modular remote access tool (RAT), derived from the Bifrost RAT, that was used by [BlackTech](https://attack.mitre.org/groups/G0098) in a 2010 campaign.(Citation: TrendMicro BlackTech June 2017)", "meta": { "external_id": "S0437", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0437", "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/" ], "synonyms": [ "Kivars" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "b2d134a1-7bd5-4293-94d4-8fc978cb1cd7", "value": "Kivars - S0437" }, { "description": "[SpeakUp](https://attack.mitre.org/software/S0374) is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. (Citation: CheckPoint SpeakUp Feb 2019)", "meta": { "external_id": "S0374", "mitre_platforms": [ "Linux", "macOS" ], "refs": [ "https://attack.mitre.org/software/S0374", "https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/" ], "synonyms": [ "SpeakUp" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "a5575606-9b85-4e3d-9cd2-40ef30e3672d", "value": "SpeakUp - S0374" }, { "description": "[Attor](https://attack.mitre.org/software/S0438) is a Windows-based espionage platform that has been seen in use since 2013. [Attor](https://attack.mitre.org/software/S0438) has a loadable plugin architecture to customize functionality for specific targets.(Citation: ESET Attor Oct 2019)", "meta": { "external_id": "S0438", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0438", "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf" ], "synonyms": [ "Attor" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "type": "uses" }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" } ], "uuid": "8f423bd7-6ca7-4303-9e85-008c7ad5fdaa", "value": "Attor - S0438" }, { "description": "[IcedID](https://attack.mitre.org/software/S0483) is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. [IcedID](https://attack.mitre.org/software/S0483) has been downloaded by [Emotet](https://attack.mitre.org/software/S0367) in multiple campaigns.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020)", "meta": { "external_id": "S0483", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0483", "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/" ], "synonyms": [ "IcedID" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", "type": "uses" }, { "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "5147ef15-1cae-4707-8ea1-bee8d98b7f1d", "value": "IcedID - S0483" }, { "description": "[Dridex](https://attack.mitre.org/software/S0384) is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated [Dridex](https://attack.mitre.org/software/S0384) had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. [Dridex](https://attack.mitre.org/software/S0384) was created from the source code of the Bugat banking Trojan (also known as Cridex).(Citation: Dell Dridex Oct 2015)(Citation: Kaspersky Dridex May 2017)(Citation: Treasury EvilCorp Dec 2019)", "meta": { "external_id": "S0384", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0384", "https://home.treasury.gov/news/press-releases/sm845", "https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/", "https://securelist.com/dridex-a-history-of-evolution/78531/", "https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation" ], "synonyms": [ "Dridex", "Bugat v5" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "type": "uses" }, { "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" } ], "uuid": "f01e2711-4b48-4192-a2e8-5f56c945ca19", "value": "Dridex - S0384" }, { "description": "[GoldenSpy](https://attack.mitre.org/software/S0493) is a backdoor malware which has been packaged with legitimate tax preparation software. [GoldenSpy](https://attack.mitre.org/software/S0493) was discovered targeting organizations in China, being delivered with the \"Intelligent Tax\" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.(Citation: Trustwave GoldenSpy June 2020) ", "meta": { "external_id": "S0493", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0493", "https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/" ], "synonyms": [ "GoldenSpy" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "b9704a7d-feef-4af9-8898-5280f1686326", "value": "GoldenSpy - S0493" }, { "description": "[HiddenWasp](https://attack.mitre.org/software/S0394) is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.(Citation: Intezer HiddenWasp Map 2019)", "meta": { "external_id": "S0394", "mitre_platforms": [ "Linux" ], "refs": [ "https://attack.mitre.org/software/S0394", "https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/" ], "synonyms": [ "HiddenWasp" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", "type": "uses" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "fc774af4-533b-4724-96d2-ac1026316794", "value": "HiddenWasp - S0394" }, { "description": "[Okrum](https://attack.mitre.org/software/S0439) is a Windows backdoor that has been seen in use since December 2016 with strong links to [Ke3chang](https://attack.mitre.org/groups/G0004).(Citation: ESET Okrum July 2019)", "meta": { "external_id": "S0439", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0439", "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" ], "synonyms": [ "Okrum" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "type": "uses" }, { "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "type": "uses" }, { "dest-uuid": "91541e7e-b969-40c6-bbd8-1b5352ec2938", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "4b6ec280-7bbb-48ff-ae59-b189520ebe83", "value": "Okrum - S0439" }, { "description": "[MoleNet](https://attack.mitre.org/software/S0553) is a downloader tool with backdoor capabilities that has been observed in use since at least 2019.(Citation: Cybereason Molerats Dec 2020)", "meta": { "external_id": "S0553", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0553", "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" ], "synonyms": [ "MoleNet" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "8a59f456-79a0-4151-9f56-9b1a67332af2", "value": "MoleNet - S0553" }, { "description": "[BoomBox](https://attack.mitre.org/software/S0635) is a downloader responsible for executing next stage components that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)", "meta": { "external_id": "S0635", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0635", "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" ], "synonyms": [ "BoomBox" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "4bc31b94-045b-4752-8920-aebaebdb6470", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "c26f1c05-b861-4970-94dc-2f7f921a3074", "value": "BoomBox - S0635" }, { "description": "[xCaon](https://attack.mitre.org/software/S0653) is an HTTP variant of the [BoxCaon](https://attack.mitre.org/software/S0651) malware family that has used by [IndigoZebra](https://attack.mitre.org/groups/G0136) since at least 2014. [xCaon](https://attack.mitre.org/software/S0653) has been used to target political entities in Central Asia, including Kyrgyzstan and Uzbekistan.(Citation: Checkpoint IndigoZebra July 2021)(Citation: Securelist APT Trends Q2 2017)", "meta": { "external_id": "S0653", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0653", "https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/", "https://securelist.com/apt-trends-report-q2-2017/79332/" ], "synonyms": [ "xCaon" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "21583311-6321-4891-8a37-3eb4e57b0fb1", "value": "xCaon - S0653" }, { "description": "[GPlayed](https://attack.mitre.org/software/S0536) is an Android trojan with a broad range of capabilities.(Citation: Talos GPlayed) ", "meta": { "external_id": "S0536", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0536", "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html" ], "synonyms": [ "GPlayed" ] }, "related": [ { "dest-uuid": "00290ac5-551e-44aa-bbd8-c4b913488a6d", "type": "uses" }, { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc", "type": "uses" }, { "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "type": "uses" } ], "uuid": "a993495c-9813-4372-b9ec-d168c7f7ec0a", "value": "GPlayed - S0536" }, { "description": "[KONNI](https://attack.mitre.org/software/S0356) is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. [KONNI](https://attack.mitre.org/software/S0356) has significant code overlap with the [NOKKI](https://attack.mitre.org/software/S0353) malware family, and has been linked to several suspected North Korean campaigns targeting political organizations in Russia, East Asia, Europe and the Middle East; there is some evidence potentially linking [KONNI](https://attack.mitre.org/software/S0356) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Talos Konni May 2017)(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021)", "meta": { "external_id": "S0356", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0356", "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", "https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html", "https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/", "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" ], "synonyms": [ "KONNI" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" } ], "uuid": "86b92f6c-9c05-4c51-b361-4c7bb13e21a1", "value": "KONNI - S0356" }, { "description": "[HyperStack](https://attack.mitre.org/software/S0537) is a RPC-based backdoor used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2018. [HyperStack](https://attack.mitre.org/software/S0537) has similarities to other backdoors used by [Turla](https://attack.mitre.org/groups/G0010) including [Carbon](https://attack.mitre.org/software/S0335).(Citation: Accenture HyperStack October 2020)", "meta": { "external_id": "S0537", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0537", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity" ], "synonyms": [ "HyperStack" ] }, "related": [ { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", "type": "uses" }, { "dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d", "type": "uses" } ], "uuid": "2cf7dec3-66fc-423f-b2c7-58f1de243b4e", "value": "HyperStack - S0537" }, { "description": "[Remexi](https://attack.mitre.org/software/S0375) is a Windows-based Trojan that was developed in the C programming language.(Citation: Securelist Remexi Jan 2019)", "meta": { "external_id": "S0375", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0375", "https://securelist.com/chafer-used-remexi-malware/89538/" ], "synonyms": [ "Remexi" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" } ], "uuid": "ecc2f65a-b452-4eaf-9689-7e181f17f7a5", "value": "Remexi - S0375" }, { "description": "[njRAT](https://attack.mitre.org/software/S0385) is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.(Citation: Fidelis njRAT June 2013)", "meta": { "external_id": "S0385", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0385", "https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/", "https://www.fireeye.com/blog/threat-research/2013/08/njw0rm-brother-from-the-same-mother.html", "https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf" ], "synonyms": [ "njRAT", "Njw0rm", "LV", "Bladabindi" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "29ba5a15-3b7b-4732-b817-65ea8f6468e6", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" } ], "uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", "value": "njRAT - S0385" }, { "description": "[Crutch](https://attack.mitre.org/software/S0538) is a backdoor designed for document theft that has been used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2015.(Citation: ESET Crutch December 2020)", "meta": { "external_id": "S0538", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0538", "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" ], "synonyms": [ "Crutch" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" } ], "uuid": "925a6c52-5cf0-4fec-99de-b0d6917d8593", "value": "Crutch - S0538" }, { "description": "[Pysa](https://attack.mitre.org/software/S0583) is a ransomware that was first used in October 2018 and has been seen to target particularly high-value finance, government and healthcare organizations.(Citation: CERT-FR PYSA April 2020)", "meta": { "external_id": "S0583", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0583", "https://digital.nhs.uk/cyber-alerts/2020/cc-3633", "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-003.pdf" ], "synonyms": [ "Pysa", "Mespinoza" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "a19c1197-9414-46e3-986f-0f609ff4a46b", "value": "Pysa - S0583" }, { "description": "[ECCENTRICBANDWAGON](https://attack.mitre.org/software/S0593) is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool--with keylogging and screen capture functionality--used for information gathering on compromised systems.(Citation: CISA EB Aug 2020)", "meta": { "external_id": "S0593", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0593", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a" ], "synonyms": [ "ECCENTRICBANDWAGON" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" } ], "uuid": "e928333f-f3df-4039-9b8b-556c2add0e42", "value": "ECCENTRICBANDWAGON - S0593" }, { "description": "[LightNeuron](https://attack.mitre.org/software/S0395) is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. [LightNeuron](https://attack.mitre.org/software/S0395) has been used by [Turla](https://attack.mitre.org/groups/G0010) to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of [LightNeuron](https://attack.mitre.org/software/S0395) exists.(Citation: ESET LightNeuron May 2019)", "meta": { "external_id": "S0395", "mitre_platforms": [ "Windows", "Linux" ], "refs": [ "https://attack.mitre.org/software/S0395", "https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" ], "synonyms": [ "LightNeuron" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "type": "uses" }, { "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235", "type": "uses" } ], "uuid": "6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb", "value": "LightNeuron - S0395" }, { "description": "[WannaCry](https://attack.mitre.org/software/S0366) is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.(Citation: LogRhythm WannaCry)(Citation: US-CERT WannaCry 2017)(Citation: Washington Post WannaCry 2017)(Citation: FireEye WannaCry 2017)", "meta": { "external_id": "S0366", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0366", "https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/", "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", "https://www.secureworks.com/research/wcry-ransomware-analysis", "https://www.us-cert.gov/ncas/alerts/TA17-132A", "https://www.washingtonpost.com/business/economy/more-than-150-countries-affected-by-massive-cyberattack-europol-says/2017/05/14/5091465e-3899-11e7-9e48-c4f199710b69_story.html?utm_term=.7fa16b41cad4" ], "synonyms": [ "WannaCry", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WCry" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "type": "uses" }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" }, { "dest-uuid": "e0033c16-a07e-48aa-8204-7c3ca669998c", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", "value": "WannaCry - S0366" }, { "description": "[VaporRage](https://attack.mitre.org/software/S0636) is a shellcode downloader that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)", "meta": { "external_id": "S0636", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0636", "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" ], "synonyms": [ "VaporRage" ] }, "related": [ { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "96eca9b9-b37f-42f1-96dc-a2c441403194", "value": "VaporRage - S0636" }, { "description": "[SysUpdate](https://attack.mitre.org/software/S0663) is a backdoor written in C++ that has been used by [Threat Group-3390](https://attack.mitre.org/groups/G0027) since at least 2020.(Citation: Trend Micro Iron Tiger April 2021)", "meta": { "external_id": "S0663", "mitre_platforms": [ "Windows", "Linux" ], "refs": [ "https://attack.mitre.org/software/S0663", "https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" ], "synonyms": [ "SysUpdate", "HyperSSL", "Soldier", "FOCUSFJORD" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" } ], "uuid": "c009560a-f097-45a3-8f9f-78ec1440a783", "value": "SysUpdate - S0663" }, { "description": "[DarkWatchman](https://attack.mitre.org/software/S0673) is a lightweight JavaScript-based remote access tool (RAT) that avoids file operations; it was first observed in November 2021.(Citation: Prevailion DarkWatchman 2021)", "meta": { "external_id": "S0673", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0673", "https://www.prevailion.com/darkwatchman-new-fileless-techniques/" ], "synonyms": [ "DarkWatchman" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", "type": "uses" }, { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", "type": "uses" }, { "dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "63686509-069b-4143-99ea-4e59cad6cb2a", "value": "DarkWatchman - S0673" }, { "description": "[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and [IcedID](https://attack.mitre.org/software/S0483). Emotet first emerged in June 2014 and has been primarily used to target the banking sector. (Citation: Trend Micro Banking Malware Jan 2019)", "meta": { "external_id": "S0367", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0367", "https://blog.talosintelligence.com/2019/01/return-of-emotet.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/", "https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf", "https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/", "https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/", "https://support.malwarebytes.com/docs/DOC-2295", "https://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/", "https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/", "https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html", "https://www.secureworks.com/blog/lazy-passwords-become-rocket-fuel-for-emotet-smb-spreader", "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor", "https://www.us-cert.gov/ncas/alerts/TA18-201A", "https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/" ], "synonyms": [ "Emotet", "Geodo" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", "type": "uses" }, { "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", "type": "uses" }, { "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", "type": "uses" }, { "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", "type": "uses" }, { "dest-uuid": "494ab9f0-36e0-4b06-b10d-57285b040a06", "type": "uses" }, { "dest-uuid": "4bc31b94-045b-4752-8920-aebaebdb6470", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "uses" }, { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "type": "uses" } ], "uuid": "32066e94-3112-48ca-b9eb-ba2b59d2f023", "value": "Emotet - S0367" }, { "description": "[HOPLIGHT](https://attack.mitre.org/software/S0376) is a backdoor Trojan that has reportedly been used by the North Korean government.(Citation: US-CERT HOPLIGHT Apr 2019)", "meta": { "external_id": "S0376", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0376", "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" ], "synonyms": [ "HOPLIGHT" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "type": "uses" }, { "dest-uuid": "215d9700-5881-48b8-8265-6449dbb7195d", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "454fe82d-6fd2-4ac6-91ab-28a33fe01369", "value": "HOPLIGHT - S0376" }, { "description": "[NativeZone](https://attack.mitre.org/software/S0637) is the name given collectively to disposable custom [Cobalt Strike](https://attack.mitre.org/software/S0154) loaders used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)(Citation: SentinelOne NobleBaron June 2021)", "meta": { "external_id": "S0637", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0637", "https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" ], "synonyms": [ "NativeZone" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", "type": "uses" } ], "uuid": "b4783be3-35d9-4a56-ac8d-1f3e1c9d9a84", "value": "NativeZone - S0637" }, { "description": "[Babuk](https://attack.mitre.org/software/S0638) is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of [Babuk](https://attack.mitre.org/software/S0638) employ a \"Big Game Hunting\" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: McAfee Babuk February 2021)(Citation: CyberScoop Babuk February 2021)", "meta": { "external_id": "S0638", "mitre_platforms": [ "Windows", "Linux" ], "refs": [ "https://attack.mitre.org/software/S0638", "https://www.cyberscoop.com/babuk-ransomware-serco-attack/", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf", "https://www.sogeti.com/globalassets/reports/cybersecchronicles_-_babuk.pdf", "https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html" ], "synonyms": [ "Babuk", "Babyk", "Vasa Locker" ] }, "related": [ { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "61c7a91a-0b83-461d-ad32-75d96eed4a09", "value": "Babuk - S0638" }, { "description": "[NotPetya](https://attack.mitre.org/software/S0368) is malware that was used by [Sandworm Team](https://attack.mitre.org/groups/G0034) in a worldwide attack starting on June 27, 2017. While [NotPetya](https://attack.mitre.org/software/S0368) appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, [NotPetya](https://attack.mitre.org/software/S0368) may be more appropriately thought of as a form of wiper malware. [NotPetya](https://attack.mitre.org/software/S0368) contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: ESET Telebots June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)", "meta": { "external_id": "S0368", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0368", "https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html", "https://www.justice.gov/opa/press-release/file/1328521/download", "https://www.us-cert.gov/ncas/alerts/TA17-181A", "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/" ], "synonyms": [ "NotPetya", "ExPetr", "Diskcoder.C", "GoldenEye", "Petrwrap", "Nyetya" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "type": "uses" }, { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "type": "uses" } ], "uuid": "5719af9d-6b16-46f9-9b28-fb019541ddbb", "value": "NotPetya - S0368" }, { "description": "[Ursnif](https://attack.mitre.org/software/S0386) is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)s, and malicious links.(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016) [Ursnif](https://attack.mitre.org/software/S0386) is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.(Citation: TrendMicro Ursnif Mar 2015)", "meta": { "external_id": "S0386", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0386", "https://web.archive.org/web/20210719165945/https://www.trendmicro.com/en_us/research/15/c/ursnif-the-multifaceted-malware.html?_ga=2.165628854.808042651.1508120821-744063452.1505819992", "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif", "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html", "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" ], "synonyms": [ "Ursnif", "Gozi-ISFB", "PE_URSNIF", "Dreambot" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e49ee9d2-0d98-44ef-85e5-5d3100065744", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", "type": "uses" } ], "uuid": "1492d0f8-7e14-4af3-9239-bc3fe10d3407", "value": "Ursnif - S0386" }, { "description": "[EvilBunny](https://attack.mitre.org/software/S0396) is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.(Citation: Cyphort EvilBunny Dec 2014)", "meta": { "external_id": "S0396", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0396", "https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/" ], "synonyms": [ "EvilBunny" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "a8a778f5-0035-4870-bb25-53dc05029586", "value": "EvilBunny - S0396" }, { "description": "[CoinTicker](https://attack.mitre.org/software/S0369) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019)", "meta": { "external_id": "S0369", "mitre_platforms": [ "macOS" ], "refs": [ "https://attack.mitre.org/software/S0369", "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/" ], "synonyms": [ "CoinTicker" ] }, "related": [ { "dest-uuid": "31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" } ], "uuid": "d1531eaa-9e17-473e-a680-3298469662c3", "value": "CoinTicker - S0369" }, { "description": "[CaddyWiper](https://attack.mitre.org/software/S0693) is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022.(Citation: ESET CaddyWiper March 2022)(Citation: Cisco CaddyWiper March 2022)", "meta": { "external_id": "S0693", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0693", "https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html", "https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine" ], "synonyms": [ "CaddyWiper" ] }, "related": [ { "dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", "type": "uses" }, { "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" } ], "uuid": "b30d999d-64e0-4e35-9856-884e4b83d611", "value": "CaddyWiper - S0693" }, { "description": "[Ebury](https://attack.mitre.org/software/S0377) is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).(Citation: ESET Ebury Feb 2014)(Citation: BleepingComputer Ebury March 2017)(Citation: ESET Ebury Oct 2017)", "meta": { "external_id": "S0377", "mitre_platforms": [ "Linux" ], "refs": [ "https://attack.mitre.org/software/S0377", "https://www.bleepingcomputer.com/news/security/russian-hacker-pleads-guilty-for-role-in-infamous-linux-ebury-malware/", "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/", "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/" ], "synonyms": [ "Ebury" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", "type": "uses" }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", "type": "uses" }, { "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", "type": "uses" }, { "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", "type": "uses" }, { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "type": "uses" } ], "uuid": "d6b3fcd0-1c86-4350-96f0-965ed02fcc51", "value": "Ebury - S0377" }, { "description": "[KeyBoy](https://attack.mitre.org/software/S0387) is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.(Citation: CitizenLab KeyBoy Nov 2016)(Citation: PWC KeyBoys Feb 2017)", "meta": { "external_id": "S0387", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0387", "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/", "https://citizenlab.ca/2016/11/parliament-keyboy/", "https://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html" ], "synonyms": [ "KeyBoy" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "5dd649c0-bca4-488b-bd85-b180474ec62e", "value": "KeyBoy - S0387" }, { "description": "[LoJax](https://attack.mitre.org/software/S0397) is a UEFI rootkit used by [APT28](https://attack.mitre.org/groups/G0007) to persist remote access software on targeted systems.(Citation: ESET LoJax Sept 2018)", "meta": { "external_id": "S0397", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0397", "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" ], "synonyms": [ "LoJax" ] }, "related": [ { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "type": "uses" } ], "uuid": "b865dded-0553-4962-a44b-6fe7863effed", "value": "LoJax - S0397" }, { "description": "[YAHOYAH](https://attack.mitre.org/software/S0388) is a Trojan used by [Tropic Trooper](https://attack.mitre.org/groups/G0081) as a second-stage backdoor.(Citation: TrendMicro TropicTrooper 2015)", "meta": { "external_id": "S0388", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0388", "https://documents.trendmicro.com/assets/wp/wp-operation-tropic-trooper.pdf" ], "synonyms": [ "YAHOYAH" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "cb444a16-3ea5-4a91-88c6-f329adcb8af3", "value": "YAHOYAH - S0388" }, { "description": "[HyperBro](https://attack.mitre.org/software/S0398) is a custom in-memory backdoor used by [Threat Group-3390](https://attack.mitre.org/groups/G0027).(Citation: Unit42 Emissary Panda May 2019)(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)", "meta": { "external_id": "S0398", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0398", "https://securelist.com/luckymouse-hits-national-data-center/86083/", "https://thehackernews.com/2018/06/chinese-watering-hole-attack.html", "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" ], "synonyms": [ "HyperBro" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" } ], "uuid": "5e814485-012d-423d-b769-026bfed0f451", "value": "HyperBro - S0398" }, { "description": "[JCry](https://attack.mitre.org/software/S0389) is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.(Citation: Carbon Black JCry May 2019)", "meta": { "external_id": "S0389", "refs": [ "https://attack.mitre.org/software/S0389", "https://www.carbonblack.com/2019/05/14/cb-tau-threat-intelligence-notification-jcry-ransomware-pretends-to-be-adobe-flash-player-update-installer/" ], "synonyms": [ "JCry" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "aaf3fa65-8b27-4e68-91de-2b7738fe4c82", "value": "JCry - S0389" }, { "description": "[Pallas](https://attack.mitre.org/software/S0399) is mobile surveillanceware that was custom-developed by [Dark Caracal](https://attack.mitre.org/groups/G0070).(Citation: Lookout Dark Caracal Jan 2018)", "meta": { "external_id": "S0399", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0399", "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" ], "synonyms": [ "Pallas" ] }, "related": [ { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" } ], "uuid": "c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "value": "Pallas - S0399" }, { "description": "[ShimRat](https://attack.mitre.org/software/S0444) has been used by the suspected China-based adversary [Mofang](https://attack.mitre.org/groups/G0103) in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name \"[ShimRat](https://attack.mitre.org/software/S0444)\" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. (Citation: FOX-IT May 2016 Mofang)", "meta": { "external_id": "S0444", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0444", "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" ], "synonyms": [ "ShimRat" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", "type": "uses" }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" } ], "uuid": "5763217a-05b6-4edd-9bca-057e47b5e403", "value": "ShimRat - S0444" }, { "description": "[HenBox](https://attack.mitre.org/software/S0544) is Android malware that attempts to only execute on Xiaomi devices running the MIUI operating system. [HenBox](https://attack.mitre.org/software/S0544) has primarily been used to target Uyghurs, a minority Turkic ethnic group.(Citation: Palo Alto HenBox)", "meta": { "external_id": "S0544", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0544", "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" ], "synonyms": [ "HenBox" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, { "dest-uuid": "52eff1c7-dd30-4121-b762-24ae6fa61bbb", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" } ], "uuid": "aef537ba-10c2-40ed-a57a-80b8508aada4", "value": "HenBox - S0544" }, { "description": "[Cadelspy](https://attack.mitre.org/software/S0454) is a backdoor that has been used by [APT39](https://attack.mitre.org/groups/G0087).(Citation: Symantec Chafer Dec 2015)", "meta": { "external_id": "S0454", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0454", "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" ], "synonyms": [ "Cadelspy" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" } ], "uuid": "a705b085-1eae-455e-8f4d-842483d814eb", "value": "Cadelspy - S0454" }, { "description": "[ObliqueRAT](https://attack.mitre.org/software/S0644) is a remote access trojan, similar to [Crimson](https://attack.mitre.org/software/S0115), that has been in use by [Transparent Tribe](https://attack.mitre.org/groups/G0134) since at least 2020.(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021)", "meta": { "external_id": "S0644", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0644", "https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html", "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html" ], "synonyms": [ "ObliqueRAT" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "5864e59f-eb4c-43ad-83b2-b5e4fae056c9", "value": "ObliqueRAT - S0644" }, { "description": "[SYSCON](https://attack.mitre.org/software/S0464) is a backdoor that has been in use since at least 2017 and has been associated with campaigns involving North Korean themes. [SYSCON](https://attack.mitre.org/software/S0464) has been delivered by the [CARROTBALL](https://attack.mitre.org/software/S0465) and [CARROTBAT](https://attack.mitre.org/software/S0462) droppers.(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020)", "meta": { "external_id": "S0464", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0464", "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/", "https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/" ], "synonyms": [ "SYSCON" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" } ], "uuid": "edf5aee2-9b1c-4252-8e64-25b12f14c8b3", "value": "SYSCON - S0464" }, { "description": "[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)", "meta": { "external_id": "S0446", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0446", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/", "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" ], "synonyms": [ "Ryuk" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "type": "uses" }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "a020a61c-423f-4195-8c46-ba1d21abba37", "value": "Ryuk - S0446" }, { "description": "[Lokibot](https://attack.mitre.org/software/S0447) is a widely distributed information stealer that was first reported in 2015. It is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. [Lokibot](https://attack.mitre.org/software/S0447) can also create a backdoor into infected systems to allow an attacker to install additional payloads.(Citation: Infoblox Lokibot January 2019)(Citation: Morphisec Lokibot April 2020)(Citation: CISA Lokibot September 2020)", "meta": { "external_id": "S0447", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0447", "https://blog.morphisec.com/lokibot-with-autoit-obfuscator-frenchy-shellcode", "https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html", "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--22", "https://us-cert.cisa.gov/ncas/alerts/aa20-266a" ], "synonyms": [ "Lokibot" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" } ], "uuid": "cb741463-f0fe-42e0-8d45-bc7e8335f5ae", "value": "Lokibot - S0447" }, { "description": "[Carberp](https://attack.mitre.org/software/S0484) is a credential and information stealing malware that has been active since at least 2009. [Carberp](https://attack.mitre.org/software/S0484)'s source code was leaked online in 2013, and subsequently used as the foundation for the [Carbanak](https://attack.mitre.org/software/S0030) backdoor.(Citation: Trend Micro Carberp February 2014)(Citation: KasperskyCarbanak)(Citation: RSA Carbanak November 2017)", "meta": { "external_id": "S0484", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0484", "https://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/", "https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/carberp" ], "synonyms": [ "Carberp" ] }, "related": [ { "dest-uuid": "01327cde-66c4-4123-bf34-5f258d59457b", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", "type": "uses" }, { "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", "type": "uses" } ], "uuid": "bbcd7a02-ef24-4171-ac94-a93540173b94", "value": "Carberp - S0484" }, { "description": "[Maze](https://attack.mitre.org/software/S0449) ransomware, previously known as \"ChaCha\", was discovered in May 2019. In addition to encrypting files on victim machines for impact, [Maze](https://attack.mitre.org/software/S0449) operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.(Citation: FireEye Maze May 2020)(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020)", "meta": { "external_id": "S0449", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0449", "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/" ], "synonyms": [ "Maze" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "type": "uses" }, { "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" }, { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "type": "uses" } ], "uuid": "d9f7383c-95ec-4080-bbce-121c9384457b", "value": "Maze - S0449" }, { "description": "[Zen](https://attack.mitre.org/software/S0494) is Android malware that was first seen in 2013.(Citation: Google Security Zen)", "meta": { "external_id": "S0494", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0494", "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html" ], "synonyms": [ "Zen" ] }, "related": [ { "dest-uuid": "1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "type": "uses" }, { "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", "type": "uses" }, { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "type": "uses" }, { "dest-uuid": "c6e17ca2-08b5-4379-9786-89bd05241831", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62", "type": "uses" } ], "uuid": "22faaa56-a8ac-4292-9be6-b571b255ee40", "value": "Zen - S0494" }, { "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.(Citation: WhiteOps TERRACOTTA)", "meta": { "external_id": "S0545", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0545", "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study" ], "synonyms": [ "TERRACOTTA" ] }, "related": [ { "dest-uuid": "00290ac5-551e-44aa-bbd8-c4b913488a6d", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, { "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "52eff1c7-dd30-4121-b762-24ae6fa61bbb", "type": "uses" }, { "dest-uuid": "648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "type": "uses" }, { "dest-uuid": "939808a7-121d-467a-b028-4441ee8b7cee", "type": "uses" }, { "dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" } ], "uuid": "e296b110-46d3-4f7a-894c-cc71ea50168c", "value": "TERRACOTTA - S0545" }, { "description": "[Egregor](https://attack.mitre.org/software/S0554) is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between [Egregor](https://attack.mitre.org/software/S0554) and Sekhmet ransomware, as well as [Maze](https://attack.mitre.org/software/S0449) ransomware.(Citation: NHS Digital Egregor Nov 2020)(Citation: Cyble Egregor Oct 2020)(Citation: Security Boulevard Egregor Oct 2020)", "meta": { "external_id": "S0554", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0554", "https://cybleinc.com/2020/10/31/egregor-ransomware-a-deep-dive-into-its-activities-and-techniques/", "https://digital.nhs.uk/cyber-alerts/2020/cc-3681#summary", "https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/" ], "synonyms": [ "Egregor" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "cc4c1287-9c86-4447-810c-744f3880ec37", "value": "Egregor - S0554" }, { "description": "[Metamorfo](https://attack.mitre.org/software/S0455) is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting banks and cryptocurrency services in Brazil and Mexico.(Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019) ", "meta": { "external_id": "S0455", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0455", "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767", "https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/" ], "synonyms": [ "Metamorfo", "Casbaneiro" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "type": "uses" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9c99724c-a483-4d60-ad9d-7f004e42e8e8", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" } ], "uuid": "81c57a96-fc8c-4f91-af8e-63e24c2927c2", "value": "Metamorfo - S0455" }, { "description": "[BlackMould](https://attack.mitre.org/software/S0564) is a web shell based on [China Chopper](https://attack.mitre.org/software/S0020) for servers running Microsoft IIS. First reported in December 2019, it has been used in malicious campaigns by [GALLIUM](https://attack.mitre.org/groups/G0093) against telecommunication providers.(Citation: Microsoft GALLIUM December 2019)", "meta": { "external_id": "S0564", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0564", "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" ], "synonyms": [ "BlackMould" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "63c4511b-2d6e-4bb2-b582-e2e99a8a467d", "value": "BlackMould - S0564" }, { "description": "[ProLock](https://attack.mitre.org/software/S0654) is a ransomware strain that has been used in Big Game Hunting (BGH) operations since at least 2020, often obtaining initial access with [QakBot](https://attack.mitre.org/software/S0650). [ProLock](https://attack.mitre.org/software/S0654) is the successor to PwndLocker ransomware which was found to contain a bug allowing decryption without ransom payment in 2019.(Citation: Group IB Ransomware September 2020)", "meta": { "external_id": "S0654", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0654", "https://groupib.pathfactory.com/ransomware-reports/prolock_wp" ], "synonyms": [ "ProLock" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "471d0e9f-2c8a-4e4b-8f3b-f85d2407806e", "value": "ProLock - S0654" }, { "description": "[SharpStage](https://attack.mitre.org/software/S0546) is a .NET malware with backdoor capabilities.(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)", "meta": { "external_id": "S0546", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0546", "https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/", "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" ], "synonyms": [ "SharpStage" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "0ba9281c-93fa-4b29-8e9e-7ef918c7b13a", "value": "SharpStage - S0546" }, { "description": "[BendyBear](https://attack.mitre.org/software/S0574) is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server. First discovered in August 2020, [BendyBear](https://attack.mitre.org/software/S0574) shares a variety of features with [Waterbear](https://attack.mitre.org/software/S0579), malware previously attributed to the Chinese cyber espionage group [BlackTech](https://attack.mitre.org/groups/G0098).(Citation: Unit42 BendyBear Feb 2021)", "meta": { "external_id": "S0574", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0574", "https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/" ], "synonyms": [ "BendyBear" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade", "type": "uses" } ], "uuid": "805480f1-6caa-4a67-8ca9-b2b39650d986", "value": "BendyBear - S0574" }, { "description": "[BackConfig](https://attack.mitre.org/software/S0475) is a custom Trojan with a flexible plugin architecture that has been used by [Patchwork](https://attack.mitre.org/groups/G0040).(Citation: Unit 42 BackConfig May 2020)", "meta": { "external_id": "S0475", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0475", "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" ], "synonyms": [ "BackConfig" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "c13d9621-aca7-436b-ab3d-3a95badb3d00", "value": "BackConfig - S0475" }, { "description": "[DropBook](https://attack.mitre.org/software/S0547) is a Python-based backdoor compiled with PyInstaller.(Citation: Cybereason Molerats Dec 2020)", "meta": { "external_id": "S0547", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0547", "https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/", "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" ], "synonyms": [ "DropBook" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "3ae6097d-d700-46c6-8b21-42fc0bcb48fa", "value": "DropBook - S0547" }, { "description": "[Netwalker](https://attack.mitre.org/software/S0457) is fileless ransomware written in PowerShell and executed directly in memory.(Citation: TrendMicro Netwalker May 2020)", "meta": { "external_id": "S0457", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0457", "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/" ], "synonyms": [ "Netwalker" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "754effde-613c-4244-a83e-fb659b2a4d06", "value": "Netwalker - S0457" }, { "description": "[AppleJeus](https://attack.mitre.org/software/S0584) is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. [AppleJeus](https://attack.mitre.org/software/S0584) has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032), targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. [AppleJeus](https://attack.mitre.org/software/S0584) has been used to distribute the [FALLCHILL](https://attack.mitre.org/software/S0181) RAT.(Citation: CISA AppleJeus Feb 2021)", "meta": { "external_id": "S0584", "mitre_platforms": [ "Windows", "macOS" ], "refs": [ "https://attack.mitre.org/software/S0584", "https://us-cert.cisa.gov/ncas/alerts/aa21-048a" ], "synonyms": [ "AppleJeus" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", "type": "uses" }, { "dest-uuid": "810aa4ad-61c9-49cb-993f-daa06199421d", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "da051493-ae9c-4b1b-9760-c009c46c9b56", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "e2d34c63-6f5a-41f5-86a2-e2380f27f858", "value": "AppleJeus - S0584" }, { "description": "[Mandrake](https://attack.mitre.org/software/S0485) is a sophisticated Android espionage platform that has been active in the wild since at least 2016. [Mandrake](https://attack.mitre.org/software/S0485) is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.\n\n[Mandrake](https://attack.mitre.org/software/S0485) has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.(Citation: Bitdefender Mandrake)", "meta": { "external_id": "S0485", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0485", "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" ], "synonyms": [ "Mandrake", "oxide", "briar", "ricinus", "darkmatter" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49", "type": "uses" }, { "dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "type": "uses" }, { "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "type": "uses" }, { "dest-uuid": "939808a7-121d-467a-b028-4441ee8b7cee", "type": "uses" }, { "dest-uuid": "948a447c-d783-4ba0-8516-a64140fcacd5", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62", "type": "uses" }, { "dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "type": "uses" }, { "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", "type": "uses" }, { "dest-uuid": "fd211238-f767-4599-8c0d-9dca36624626", "type": "uses" } ], "uuid": "52c994fa-b6c8-45a8-9586-a4275cf19307", "value": "Mandrake - S0485" }, { "description": "[Ramsay](https://attack.mitre.org/software/S0458) is an information stealing malware framework designed to collect and exfiltrate sensitive documents, including from air-gapped systems. Researchers have identified overlaps between [Ramsay](https://attack.mitre.org/software/S0458) and the [Darkhotel](https://attack.mitre.org/groups/G0012)-associated Retro malware.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)", "meta": { "external_id": "S0458", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0458", "https://www.programmersought.com/article/62493896999/", "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/" ], "synonyms": [ "Ramsay" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "ba09b86c-1c40-4ff1-bda0-0d8c4ca35997", "value": "Ramsay - S0458" }, { "description": "[RDAT](https://attack.mitre.org/software/S0495) is a backdoor used by the suspected Iranian threat group [OilRig](https://attack.mitre.org/groups/G0049). [RDAT](https://attack.mitre.org/software/S0495) was originally identified in 2017 and targeted companies in the telecommunications sector.(Citation: Unit42 RDAT July 2020)", "meta": { "external_id": "S0495", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0495", "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/" ], "synonyms": [ "RDAT" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" } ], "uuid": "4b346d12-7f91-48d2-8f06-b26ffa0d825b", "value": "RDAT - S0495" }, { "description": "[SilkBean](https://attack.mitre.org/software/S0549) is a piece of Android surveillanceware containing comprehensive remote access tool (RAT) functionality that has been used in targeting of the Uyghur ethnic group.(Citation: Lookout Uyghur Campaign)", "meta": { "external_id": "S0549", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0549", "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" ], "synonyms": [ "SilkBean" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", "type": "uses" } ], "uuid": "ddbe5657-e21e-4a89-8221-2f1362d397ec", "value": "SilkBean - S0549" }, { "description": "[MechaFlounder](https://attack.mitre.org/software/S0459) is a python-based remote access tool (RAT) that has been used by [APT39](https://attack.mitre.org/groups/G0087). The payload uses a combination of actor developed code and code snippets freely available online in development communities.(Citation: Unit 42 MechaFlounder March 2019)", "meta": { "external_id": "S0459", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0459", "https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/" ], "synonyms": [ "MechaFlounder" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2", "value": "MechaFlounder - S0459" }, { "description": "[SpicyOmelette](https://attack.mitre.org/software/S0646) is a JavaScript based remote access tool that has been used by [Cobalt Group](https://attack.mitre.org/groups/G0080) since at least 2018.(Citation: Secureworks GOLD KINGSWOOD September 2018)", "meta": { "external_id": "S0646", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0646", "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish" ], "synonyms": [ "SpicyOmelette" ] }, "related": [ { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "599cd7b5-37b5-4cdd-8174-2811531ce9d0", "value": "SpicyOmelette - S0646" }, { "description": "[Pandora](https://attack.mitre.org/software/S0664) is a multistage kernel rootkit with backdoor functionality that has been in use by [Threat Group-3390](https://attack.mitre.org/groups/G0027) since at least 2020.(Citation: Trend Micro Iron Tiger April 2021)", "meta": { "external_id": "S0664", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0664", "https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" ], "synonyms": [ "Pandora" ] }, "related": [ { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", "type": "uses" }, { "dest-uuid": "565275d5-fcc3-4b66-b4e7-928e4cac6b8c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" } ], "uuid": "a545456a-f9a7-47ad-9ea6-8b017def38d1", "value": "Pandora - S0664" }, { "description": "[WindTail](https://attack.mitre.org/software/S0466) is a macOS surveillance implant used by [Windshift](https://attack.mitre.org/groups/G0112). [WindTail](https://attack.mitre.org/software/S0466) shares code similarities with Hack Back aka KitM OSX.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)", "meta": { "external_id": "S0466", "mitre_platforms": [ "macOS" ], "refs": [ "https://attack.mitre.org/software/S0466", "https://objective-see.com/blog/blog_0x3B.html", "https://objective-see.com/blog/blog_0x3D.html", "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf" ], "synonyms": [ "WindTail" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" } ], "uuid": "0d1f9f5b-11ea-42c3-b5f4-63cce0122541", "value": "WindTail - S0466" }, { "description": "[CharmPower](https://attack.mitre.org/software/S0674) is a PowerShell-based, modular backdoor that has been used by [Magic Hound](https://attack.mitre.org/groups/G0059) since at least 2022.(Citation: Check Point APT35 CharmPower January 2022)", "meta": { "external_id": "S0674", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0674", "https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" ], "synonyms": [ "CharmPower" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" } ], "uuid": "7acb15b6-fe2c-4319-b136-6ab36ff0b2d4", "value": "CharmPower - S0674" }, { "description": "[TajMahal](https://attack.mitre.org/software/S0467) is a multifunctional spying framework that has been in use since at least 2014. [TajMahal](https://attack.mitre.org/software/S0467) is comprised of two separate packages, named Tokyo and Yokohama, and can deploy up to 80 plugins.(Citation: Kaspersky TajMahal April 2019)", "meta": { "external_id": "S0467", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0467", "https://securelist.com/project-tajmahal/90240/" ], "synonyms": [ "TajMahal" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", "type": "uses" }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "b51797f7-57da-4210-b8ac-b8632ee75d70", "value": "TajMahal - S0467" }, { "description": "[Turian](https://attack.mitre.org/software/S0647) is a backdoor that has been used by [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, [Turian](https://attack.mitre.org/software/S0647) is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.(Citation: ESET BackdoorDiplomacy Jun 2021)", "meta": { "external_id": "S0647", "mitre_platforms": [ "Windows", "Linux" ], "refs": [ "https://attack.mitre.org/software/S0647", "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" ], "synonyms": [ "Turian" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade", "type": "uses" } ], "uuid": "350f12cf-fd3b-4dad-b323-14b943090df4", "value": "Turian - S0647" }, { "description": "[Valak](https://attack.mitre.org/software/S0476) is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)", "meta": { "external_id": "S0476", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0476", "https://unit42.paloaltonetworks.com/valak-evolution/", "https://www.cybereason.com/blog/valak-more-than-meets-the-eye" ], "synonyms": [ "Valak" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "type": "uses" } ], "uuid": "ade37ada-14af-4b44-b36c-210eec255d53", "value": "Valak - S0476" }, { "description": "[Bonadan](https://attack.mitre.org/software/S0486) is a malicious version of OpenSSH which acts as a custom backdoor. [Bonadan](https://attack.mitre.org/software/S0486) has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.(Citation: ESET ForSSHe December 2018)", "meta": { "external_id": "S0486", "mitre_platforms": [ "Linux" ], "refs": [ "https://attack.mitre.org/software/S0486", "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" ], "synonyms": [ "Bonadan" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", "type": "uses" }, { "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "4c6d62c2-89f5-4159-8fab-0190b1f9d328", "value": "Bonadan - S0486" }, { "description": "[Skidmap](https://attack.mitre.org/software/S0468) is a kernel-mode rootkit used for cryptocurrency mining.(Citation: Trend Micro Skidmap)", "meta": { "external_id": "S0468", "mitre_platforms": [ "Linux" ], "refs": [ "https://attack.mitre.org/software/S0468", "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/" ], "synonyms": [ "Skidmap" ] }, "related": [ { "dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "6b57dc31-b814-4a03-8706-28bc20d739c4", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "4b68b5ea-2e1b-4225-845b-8632f702b9a0", "value": "Skidmap - S0468" }, { "description": "[ABK](https://attack.mitre.org/software/S0469) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)", "meta": { "external_id": "S0469", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0469", "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" ], "synonyms": [ "ABK" ] }, "related": [ { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "a0ebedca-d558-4e48-8ff7-4bf76208d90c", "value": "ABK - S0469" }, { "description": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) is a Powershell-based .NET backdoor that was first reported in May 2021; it has been used by at least one ransomware-as-a-service affiliate.(Citation: FireEye Shining A Light on DARKSIDE May 2021)(Citation: FireEye SMOKEDHAM June 2021)", "meta": { "external_id": "S0649", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0649", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html" ], "synonyms": [ "SMOKEDHAM" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "type": "uses" }, { "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "7e0f8b0f-716e-494d-827e-310bd6ed709e", "value": "SMOKEDHAM - S0649" }, { "description": "[DRATzarus](https://attack.mitre.org/software/S0694) is a remote access tool (RAT) that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) to target the defense and aerospace organizations globally since at least summer 2020. [DRATzarus](https://attack.mitre.org/software/S0694) shares similarities with [Bankshot](https://attack.mitre.org/software/S0239), which was used by [Lazarus Group](https://attack.mitre.org/groups/G0032) in 2017 to target the Turkish financial sector.(Citation: ClearSky Lazarus Aug 2020)", "meta": { "external_id": "S0694", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0694", "https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" ], "synonyms": [ "DRATzarus" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "56aa3c82-ed40-4b5a-84bf-7231356d9e96", "value": "DRATzarus - S0694" }, { "description": "[REvil](https://attack.mitre.org/software/S0496) is a ransomware family that has been linked to the [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) group and operated as ransomware-as-a-service (RaaS) since at least April 2019. [REvil](https://attack.mitre.org/software/S0496), which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)", "meta": { "external_id": "S0496", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0496", "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html", "https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", "https://securelist.com/sodin-ransomware/91473/", "https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html", "https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data", "https://www.group-ib.com/whitepapers/ransomware-uncovered.html", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", "https://www.secureworks.com/blog/revil-the-gandcrab-connection", "https://www.secureworks.com/research/revil-sodinokibi-ransomware", "https://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis" ], "synonyms": [ "REvil", "Sodin", "Sodinokibi" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "28170e17-8384-415c-8486-2e6b294cb803", "type": "uses" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "value": "REvil - S0496" }, { "description": "[Goopy](https://attack.mitre.org/software/S0477) is a Windows backdoor and Trojan used by [APT32](https://attack.mitre.org/groups/G0050) and shares several similarities to another backdoor used by the group ([Denis](https://attack.mitre.org/software/S0354)). [Goopy](https://attack.mitre.org/software/S0477) is named for its impersonation of the legitimate Google Updater executable.(Citation: Cybereason Cobalt Kitty 2017)", "meta": { "external_id": "S0477", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0477", "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" ], "synonyms": [ "Goopy" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "438c967d-3996-4870-bfc2-3954752a1927", "type": "uses" }, { "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" } ], "uuid": "eac3d77f-2b7b-4599-ba74-948dc16633ad", "value": "Goopy - S0477" }, { "description": "[EventBot](https://attack.mitre.org/software/S0478) is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications.(Citation: Cybereason EventBot) [EventBot](https://attack.mitre.org/software/S0478) was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.(Citation: Cybereason EventBot)", "meta": { "external_id": "S0478", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0478", "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born" ], "synonyms": [ "EventBot" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "type": "uses" }, { "dest-uuid": "45a5fe76-eda3-4d40-8f22-c186efd6278d", "type": "uses" }, { "dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "type": "uses" }, { "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "type": "uses" }, { "dest-uuid": "bb4387ab-7a51-468b-bf5f-a9a8612f0303", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" } ], "uuid": "aecc0097-c9f8-4786-9b39-e891ff173f54", "value": "EventBot - S0478" }, { "description": "[Kessel](https://attack.mitre.org/software/S0487) is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. [Kessel](https://attack.mitre.org/software/S0487) has been active since its C2 domain began resolving in August 2018.(Citation: ESET ForSSHe December 2018)", "meta": { "external_id": "S0487", "mitre_platforms": [ "Linux" ], "refs": [ "https://attack.mitre.org/software/S0487", "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" ], "synonyms": [ "Kessel" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", "type": "uses" }, { "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" } ], "uuid": "c984b414-b766-44c5-814a-2fe96c913c12", "value": "Kessel - S0487" }, { "description": "[Dacls](https://attack.mitre.org/software/S0497) is a multi-platform remote access tool used by [Lazarus Group](https://attack.mitre.org/groups/G0032) since at least December 2019.(Citation: TrendMicro macOS Dacls May 2020)(Citation: SentinelOne Lazarus macOS July 2020)", "meta": { "external_id": "S0497", "mitre_platforms": [ "macOS", "Linux", "Windows" ], "refs": [ "https://attack.mitre.org/software/S0497", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/", "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/" ], "synonyms": [ "Dacls" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" } ], "uuid": "3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", "value": "Dacls - S0497" }, { "description": "[WolfRAT](https://attack.mitre.org/software/S0489) is malware based on a leaked version of [Dendroid](https://attack.mitre.org/software/S0301) that has primarily targeted Thai users. [WolfRAT](https://attack.mitre.org/software/S0489) has most likely been operated by the now defunct organization Wolf Research.(Citation: Talos-WolfRAT) ", "meta": { "external_id": "S0489", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0489", "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" ], "synonyms": [ "WolfRAT" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "type": "uses" }, { "dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "type": "uses" }, { "dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d", "type": "uses" }, { "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "type": "uses" }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "type": "uses" }, { "dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" } ], "uuid": "dfdac962-9461-47f0-a212-36dfce2a97e6", "value": "WolfRAT - S0489" }, { "description": "[Cryptoistic](https://attack.mitre.org/software/S0498) is a backdoor, written in Swift, that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032).(Citation: SentinelOne Lazarus macOS July 2020)", "meta": { "external_id": "S0498", "mitre_platforms": [ "macOS" ], "refs": [ "https://attack.mitre.org/software/S0498", "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/" ], "synonyms": [ "Cryptoistic" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "a04d9a4c-bb52-40bf-98ec-e350c2d6a862", "value": "Cryptoistic - S0498" }, { "description": "[Hancitor](https://attack.mitre.org/software/S0499) is a downloader that has been used by [Pony](https://attack.mitre.org/software/S0453) and other information stealing malware.(Citation: Threatpost Hancitor)(Citation: FireEye Hancitor)", "meta": { "external_id": "S0499", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0499", "https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/", "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html" ], "synonyms": [ "Hancitor", "Chanitor" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "808e6329-ca91-4b87-ac2d-8eadc5f8f327", "type": "uses" }, { "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "ef2247bf-8062-404b-894f-d65d00564817", "value": "Hancitor - S0499" }, { "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) is a modular backdoor that has been deployed by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: CYBERWARCON CHEMISTGAMES)", "meta": { "external_id": "S0555", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0555", "https://www.youtube.com/watch?v=xoNSbm1aX_w" ], "synonyms": [ "CHEMISTGAMES" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "52eff1c7-dd30-4121-b762-24ae6fa61bbb", "type": "uses" }, { "dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "9558a84e-2d5e-4872-918e-d847494a8ffc", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" } ], "uuid": "a0d774e4-bafc-4292-8651-3ec899391341", "value": "CHEMISTGAMES - S0555" }, { "description": "[BusyGasper](https://attack.mitre.org/software/S0655) is Android spyware that has been in use since May 2016. There have been less than 10 victims, all who appear to be located in Russia, that were all infected via physical access to the device.(Citation: SecureList BusyGasper)", "meta": { "external_id": "S0655", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0655", "https://securelist.com/busygasper-the-unfriendly-spy/87627/" ], "synonyms": [ "BusyGasper" ] }, "related": [ { "dest-uuid": "24a77e53-0751-46fc-b207-99378fb35c08", "type": "uses" }, { "dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "type": "uses" }, { "dest-uuid": "37047267-3e56-453c-833e-d92b68118120", "type": "uses" }, { "dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e", "type": "uses" }, { "dest-uuid": "939808a7-121d-467a-b028-4441ee8b7cee", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "type": "uses" }, { "dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd", "type": "uses" }, { "dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "type": "uses" } ], "uuid": "e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "value": "BusyGasper - S0655" }, { "description": "[Raindrop](https://attack.mitre.org/software/S0565) is a loader used by [APT29](https://attack.mitre.org/groups/G0016) that was discovered on some victim machines during investigations related to the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024). It was discovered in January 2021 and was likely used since at least May 2020.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)", "meta": { "external_id": "S0565", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0565", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" ], "synonyms": [ "Raindrop" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" } ], "uuid": "4efc3e00-72f2-466a-ab7c-8a7dc6603b19", "value": "Raindrop - S0565" }, { "description": "[Conti](https://attack.mitre.org/software/S0575) is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. [Conti](https://attack.mitre.org/software/S0575) has been deployed via [TrickBot](https://attack.mitre.org/software/S0266) and used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using [Conti](https://attack.mitre.org/software/S0575) steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.(Citation: Cybereason Conti Jan 2021)(Citation: CarbonBlack Conti July 2020)(Citation: Cybleinc Conti January 2020)", "meta": { "external_id": "S0575", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0575", "https://cybleinc.com/2021/01/21/conti-ransomware-resurfaces-targeting-government-large-organizations/", "https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/", "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware" ], "synonyms": [ "Conti" ] }, "related": [ { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "4dea7d8e-af94-4bfb-afe4-7ff54f59308b", "value": "Conti - S0575" }, { "description": "[Kerrdown](https://attack.mitre.org/software/S0585) is a custom downloader that has been used by [APT32](https://attack.mitre.org/groups/G0050) since at least 2018 to install spyware from a server on the victim's network.(Citation: Amnesty Intl. Ocean Lotus February 2021)(Citation: Unit 42 KerrDown February 2019)", "meta": { "external_id": "S0585", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0585", "https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/", "https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf" ], "synonyms": [ "Kerrdown" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "8c1d01ff-fdc0-4586-99bd-c248e0761af5", "value": "Kerrdown - S0585" }, { "description": "[SUNBURST](https://attack.mitre.org/software/S0559) is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by [APT29](https://attack.mitre.org/groups/G0016) since at least February 2020.(Citation: SolarWinds Sunburst Sunspot Update January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)", "meta": { "external_id": "S0559", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0559", "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" ], "synonyms": [ "SUNBURST", "Solorigate" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade", "type": "uses" } ], "uuid": "a8839c95-029f-44cf-8f3d-a3cf2039e927", "value": "SUNBURST - S0559" }, { "description": "[ThiefQuest](https://attack.mitre.org/software/S0595) is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. [ThiefQuest](https://attack.mitre.org/software/S0595) was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links.(Citation: Reed thiefquest fake ransom) Even though [ThiefQuest](https://attack.mitre.org/software/S0595) presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.(Citation: wardle evilquest partii)(Citation: reed thiefquest ransomware analysis)", "meta": { "external_id": "S0595", "mitre_platforms": [ "macOS" ], "refs": [ "https://attack.mitre.org/software/S0595", "https://blog.malwarebytes.com/detections/osx-thiefquest/", "https://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/", "https://objective-see.com/blog/blog_0x60.html", "https://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/" ], "synonyms": [ "ThiefQuest", "MacRansom.K", "EvilQuest" ] }, "related": [ { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" } ], "uuid": "727afb95-3d0f-4451-b297-362a43909923", "value": "ThiefQuest - S0595" }, { "description": "[ThreatNeedle](https://attack.mitre.org/software/S0665) is a backdoor that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) since at least 2019 to target cryptocurrency, defense, and mobile gaming organizations. It is considered to be an advanced cluster of [Lazarus Group](https://attack.mitre.org/groups/G0032)'s Manuscrypt (a.k.a. NukeSped) malware family.(Citation: Kaspersky ThreatNeedle Feb 2021)", "meta": { "external_id": "S0665", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0665", "https://securelist.com/lazarus-threatneedle/100803/" ], "synonyms": [ "ThreatNeedle" ] }, "related": [ { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "16040b1c-ed28-4850-9d8f-bb8b81c42092", "value": "ThreatNeedle - S0665" }, { "description": "[BLUELIGHT](https://attack.mitre.org/software/S0657) is a remote access Trojan used by [APT37](https://attack.mitre.org/groups/G0067) that was first observed in early 2021.(Citation: Volexity InkySquid BLUELIGHT August 2021)", "meta": { "external_id": "S0657", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0657", "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/" ], "synonyms": [ "BLUELIGHT" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "8bd47506-29ae-44ea-a5c1-c57e8a1ab6b0", "value": "BLUELIGHT - S0657" }, { "description": "[MegaCortex](https://attack.mitre.org/software/S0576) is ransomware that first appeared in May 2019. (Citation: IBM MegaCortex) [MegaCortex](https://attack.mitre.org/software/S0576) has mainly targeted industrial organizations. (Citation: FireEye Ransomware Disrupt Industrial Production)(Citation: FireEye Financial Actors Moving into OT)", "meta": { "external_id": "S0576", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0576", "https://securityintelligence.com/posts/from-mega-to-giga-cross-version-comparison-of-top-megacortex-modifications/", "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html", "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html" ], "synonyms": [ "MegaCortex" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "type": "uses" }, { "dest-uuid": "e7cbc1de-1f79-48ee-abfd-da1241c65a15", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" }, { "dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac", "type": "uses" } ], "uuid": "909617c3-6d87-4330-8f32-bd3af38c3b92", "value": "MegaCortex - S0576" }, { "description": "[Dtrack](https://attack.mitre.org/software/S0567) is spyware that was discovered in 2019 and has been used against Indian financial institutions, research facilities, and the Kudankulam Nuclear Power Plant. [Dtrack](https://attack.mitre.org/software/S0567) shares similarities with the DarkSeoul campaign, which was attributed to [Lazarus Group](https://attack.mitre.org/groups/G0032). (Citation: Kaspersky Dtrack)(Citation: Securelist Dtrack)(Citation: Dragos WASSONITE)(Citation: CyberBit Dtrack)(Citation: ZDNet Dtrack)", "meta": { "external_id": "S0567", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0567", "https://securelist.com/my-name-is-dtrack/93338/", "https://usa.kaspersky.com/about/press-releases/2019_dtrack-previously-unknown-spy-tool-hits-financial-institutions-and-research-centers", "https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/", "https://www.dragos.com/threat/wassonite/", "https://www.zdnet.com/article/confirmed-north-korean-malware-found-on-indian-nuclear-plants-network/" ], "synonyms": [ "Dtrack" ] }, "related": [ { "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "f8774023-8021-4ece-9aca-383ac89d2759", "value": "Dtrack - S0567" }, { "description": "[TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) is a fully-featured beaconing implant integrated with command modules used by [Lazarus Group](https://attack.mitre.org/groups/G0032). It was first reported in May 2020.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)", "meta": { "external_id": "S0586", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0586", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133b" ], "synonyms": [ "TAINTEDSCRIBE" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "7f4bbe05-1674-4087-8a16-8f1ad61b6152", "value": "TAINTEDSCRIBE - S0586" }, { "description": "[XCSSET](https://attack.mitre.org/software/S0658) is a macOS modular backdoor that targets Xcode application developers. [XCSSET](https://attack.mitre.org/software/S0658) was first observed in August 2020 and has been used to install a backdoor component, modify browser applications, conduct collection, and provide ransomware-like encryption capabilities.(Citation: trendmicro xcsset xcode project 2020)", "meta": { "external_id": "S0658", "mitre_platforms": [ "macOS" ], "refs": [ "https://attack.mitre.org/software/S0658", "https://blog.malwarebytes.com/detections/osx-dubrobber/", "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf" ], "synonyms": [ "XCSSET", "OSX.DubRobber" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", "type": "uses" }, { "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", "type": "uses" }, { "dest-uuid": "191cc6af-1bb2-4344-ab5f-28e496638720", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba", "type": "uses" }, { "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", "type": "uses" }, { "dest-uuid": "6b57dc31-b814-4a03-8706-28bc20d739c4", "type": "uses" }, { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7d20fff9-8751-404e-badd-ccd71bda0236", "type": "uses" }, { "dest-uuid": "810aa4ad-61c9-49cb-993f-daa06199421d", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", "type": "uses" }, { "dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" } ], "uuid": "e14085cb-0e8d-4be6-92ba-e3b93ee5978f", "value": "XCSSET - S0658" }, { "description": "[EVILNUM](https://attack.mitre.org/software/S0568) is fully capable backdoor that was first identified in 2018. [EVILNUM](https://attack.mitre.org/software/S0568) is used by the APT group [Evilnum](https://attack.mitre.org/groups/G0120) which has the same name.(Citation: ESET EvilNum July 2020)(Citation: Prevailion EvilNum May 2020)", "meta": { "external_id": "S0568", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0568", "https://www.prevailion.com/phantom-in-the-command-shell-2/", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" ], "synonyms": [ "EVILNUM" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9c99724c-a483-4d60-ad9d-7f004e42e8e8", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "7cdfccda-2950-4167-981a-60872ff5d0db", "value": "EVILNUM - S0568" }, { "description": "[PowerPunch](https://attack.mitre.org/software/S0685) is a lightweight downloader that has been used by [Gamaredon Group](https://attack.mitre.org/groups/G0047) since at least 2021.(Citation: Microsoft Actinium February 2022)", "meta": { "external_id": "S0685", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0685", "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/" ], "synonyms": [ "PowerPunch" ] }, "related": [ { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f244b8dd-af6c-4391-a497-fc03627ce995", "type": "uses" } ], "uuid": "d52291b4-bb23-45a8-aef0-3dc7e986ba15", "value": "PowerPunch - S0685" }, { "description": "[Diavol](https://attack.mitre.org/software/S0659) is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. The [Diavol](https://attack.mitre.org/software/S0659) Ransomware-as-a Service (RaaS) program is managed by [Wizard Spider](https://attack.mitre.org/groups/G0102) and it has been observed being deployed by [Bazar](https://attack.mitre.org/software/S0534).(Citation: Fortinet Diavol July 2021)(Citation: FBI Flash Diavol January 2022)(Citation: DFIR Diavol Ransomware December 2021)(Citation: Microsoft Ransomware as a Service)", "meta": { "external_id": "S0659", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0659", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider", "https://www.ic3.gov/Media/News/2022/220120.pdf", "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" ], "synonyms": [ "Diavol" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "4e9bdf9a-4957-47f6-87b3-c76898d3f623", "value": "Diavol - S0659" }, { "description": "[Explosive](https://attack.mitre.org/software/S0569) is a custom-made remote access tool used by the group [Volatile Cedar](https://attack.mitre.org/groups/G0123). It was first identified in the wild in 2015.(Citation: CheckPoint Volatile Cedar March 2015)(Citation: ClearSky Lebanese Cedar Jan 2021) ", "meta": { "external_id": "S0569", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0569", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf", "https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf" ], "synonyms": [ "Explosive" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" } ], "uuid": "6a21e3a4-5ffe-4581-af9a-6a54c7536f44", "value": "Explosive - S0569" }, { "description": "[ShadowPad](https://attack.mitre.org/software/S0596) is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by [APT41](https://attack.mitre.org/groups/G0096), but has since been observed to be used by various Chinese threat activity groups. (Citation: Recorded Future RedEcho Feb 2021)(Citation: Securelist ShadowPad Aug 2017)(Citation: Kaspersky ShadowPad Aug 2017) ", "meta": { "external_id": "S0596", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0596", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf", "https://securelist.com/shadowpad-in-corporate-networks/81432/", "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" ], "synonyms": [ "ShadowPad", "POISONPLUG.SHADOW" ] }, "related": [ { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "ec9e00dd-0313-4d5b-8105-c20aa47abffc", "value": "ShadowPad - S0596" }, { "description": "[FrozenCell](https://attack.mitre.org/software/S0577) is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and [Micropsia](https://attack.mitre.org/software/S0339).(Citation: Lookout FrozenCell)", "meta": { "external_id": "S0577", "mitre_platforms": [ "Android" ], "refs": [ "https://attack.mitre.org/software/S0577", "https://blog.lookout.com/frozencell-mobile-threat" ], "synonyms": [ "FrozenCell" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "type": "uses" }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec", "type": "uses" } ], "uuid": "96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "value": "FrozenCell - S0577" }, { "description": "[SUPERNOVA](https://attack.mitre.org/software/S0578) is an in-memory web shell written in .NET C#. It was discovered in November 2020 during the investigation of [APT29](https://attack.mitre.org/groups/G0016)'s SolarWinds cyber operation but determined to be unrelated. Subsequent analysis suggests [SUPERNOVA](https://attack.mitre.org/software/S0578) may have been used by the China-based threat group SPIRAL.(Citation: Guidepoint SUPERNOVA Dec 2020)(Citation: Unit42 SUPERNOVA Dec 2020)(Citation: SolarWinds Advisory Dec 2020)(Citation: CISA Supernova Jan 2021)(Citation: Microsoft Analyzing Solorigate Dec 2020)", "meta": { "external_id": "S0578", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0578", "https://unit42.paloaltonetworks.com/solarstorm-supernova/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a", "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://www.solarwinds.com/sa-overview/securityadvisory" ], "synonyms": [ "SUPERNOVA" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "b2b0b946-be0a-4a7f-9c32-a2e5211d1cd9", "value": "SUPERNOVA - S0578" }, { "description": "[Penquin](https://attack.mitre.org/software/S0587) is a remote access trojan (RAT) with multiple versions used by [Turla](https://attack.mitre.org/groups/G0010) to target Linux systems since at least 2014.(Citation: Kaspersky Turla Penquin December 2014)(Citation: Leonardo Turla Penquin May 2020)", "meta": { "external_id": "S0587", "mitre_platforms": [ "Linux" ], "refs": [ "https://attack.mitre.org/software/S0587", "https://securelist.com/the-penquin-turla-2/67962/", "https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf" ], "synonyms": [ "Penquin", "Penquin 2.0", "Penquin_x64" ] }, "related": [ { "dest-uuid": "005cc321-08ce-4d17-b1ea-cb5275926520", "type": "uses" }, { "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", "type": "uses" }, { "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "d18cb958-f4ad-4fb3-bb4f-e8994d206550", "value": "Penquin - S0587" }, { "description": "[GoldFinder](https://attack.mitre.org/software/S0597) is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. [GoldFinder](https://attack.mitre.org/software/S0597) was discovered in early 2021 during an investigation into the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) by [APT29](https://attack.mitre.org/groups/G0016).(Citation: MSTIC NOBELIUM Mar 2021)", "meta": { "external_id": "S0597", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0597", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" ], "synonyms": [ "GoldFinder" ] }, "related": [ { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "b7010785-699f-412f-ba49-524da6033c76", "value": "GoldFinder - S0597" }, { "description": "[Waterbear](https://attack.mitre.org/software/S0579) is modular malware attributed to [BlackTech](https://attack.mitre.org/groups/G0098) that has been used primarily for lateral movement, decrypting, and triggering payloads and is capable of hiding network behaviors.(Citation: Trend Micro Waterbear December 2019)", "meta": { "external_id": "S0579", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0579", "https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html" ], "synonyms": [ "Waterbear" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "f3f1fbed-7e29-49cb-8579-4a378f858deb", "value": "Waterbear - S0579" }, { "description": "[GoldMax](https://attack.mitre.org/software/S0588) is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. [GoldMax](https://attack.mitre.org/software/S0588) was discovered in early 2021 during the investigation into the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), and has likely been used by [APT29](https://attack.mitre.org/groups/G0016) since at least mid-2019. [GoldMax](https://attack.mitre.org/software/S0588) uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)(Citation: CrowdStrike StellarParticle January 2022)", "meta": { "external_id": "S0588", "mitre_platforms": [ "Windows", "Linux" ], "refs": [ "https://attack.mitre.org/software/S0588", "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/", "https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" ], "synonyms": [ "GoldMax", "SUNSHUTTLE" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4a2975db-414e-4c0c-bd92-775987514b4b", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade", "type": "uses" } ], "uuid": "5c747acd-47f0-4c5a-b9e5-213541fc01e0", "value": "GoldMax - S0588" }, { "description": "[Sibot](https://attack.mitre.org/software/S0589) is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three [Sibot](https://attack.mitre.org/software/S0589) variants in early 2021 during its investigation of [APT29](https://attack.mitre.org/groups/G0016) and the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024).(Citation: MSTIC NOBELIUM Mar 2021)", "meta": { "external_id": "S0589", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0589", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" ], "synonyms": [ "Sibot" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "979adb5a-dc30-48f0-9e3d-9a26d866928c", "value": "Sibot - S0589" }, { "description": "[Kinsing](https://attack.mitre.org/software/S0599) is Golang-based malware that runs a cryptocurrency miner and attempts to spread itself to other hosts in the victim environment. (Citation: Aqua Kinsing April 2020)(Citation: Sysdig Kinsing November 2020)(Citation: Aqua Security Cloud Native Threat Report June 2021)", "meta": { "external_id": "S0599", "mitre_platforms": [ "Containers", "Linux" ], "refs": [ "https://attack.mitre.org/software/S0599", "https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability", "https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation", "https://sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi/" ], "synonyms": [ "Kinsing" ] }, "related": [ { "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", "type": "uses" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", "type": "uses" }, { "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", "type": "uses" }, { "dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92", "type": "uses" }, { "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", "type": "uses" }, { "dest-uuid": "7b50a1d3-4ca7-45d1-989d-a6503f04bfe1", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "d6e55656-e43f-411f-a7af-45df650471c5", "value": "Kinsing - S0599" }, { "description": "[Gelsemium](https://attack.mitre.org/software/S0666) is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. [Gelsemium](https://attack.mitre.org/software/S0666) has been used by the Gelsemium group since at least 2014.(Citation: ESET Gelsemium June 2021)", "meta": { "external_id": "S0666", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0666", "https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" ], "synonyms": [ "Gelsemium", "Gelsevirine", "Gelsenicine", "Gelsemine" ] }, "related": [ { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2de47683-f398-448f-b947-9abcc3e32fad", "type": "uses" }, { "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", "type": "uses" }, { "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "efa7c4d6-8e30-41d9-a8fd-26dc337f4a1b", "value": "Gelsemium - S0666" }, { "description": "[Chrommme](https://attack.mitre.org/software/S0667) is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with [Gelsemium](https://attack.mitre.org/software/S0666) malware.(Citation: ESET Gelsemium June 2021)", "meta": { "external_id": "S0667", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0667", "https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" ], "synonyms": [ "Chrommme" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "579607c2-d046-40df-99ab-beb479c37a2a", "value": "Chrommme - S0667" }, { "description": "[QuietSieve](https://attack.mitre.org/software/S0686) is an information stealer that has been used by [Gamaredon Group](https://attack.mitre.org/groups/G0047) since at least 2021.(Citation: Microsoft Actinium February 2022)", "meta": { "external_id": "S0686", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0686", "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/" ], "synonyms": [ "QuietSieve" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "03eb4a05-6a02-43f6-afb7-3c7835501828", "value": "QuietSieve - S0686" }, { "description": "[TinyTurla](https://attack.mitre.org/software/S0668) is a backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010) against targets in the US, Germany, and Afghanistan since at least 2020.(Citation: Talos TinyTurla September 2021)", "meta": { "external_id": "S0668", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0668", "https://blog.talosintelligence.com/2021/09/tinyturla.html" ], "synonyms": [ "TinyTurla" ] }, "related": [ { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" } ], "uuid": "2a7c1bb7-cd12-456e-810d-ab3bf8457bab", "value": "TinyTurla - S0668" }, { "description": "[KOCTOPUS](https://attack.mitre.org/software/S0669)'s batch variant is loader used by [LazyScripter](https://attack.mitre.org/groups/G0140) since 2018 to launch [Octopus](https://attack.mitre.org/software/S0340) and [Koadic](https://attack.mitre.org/software/S0250) and, in some cases, [QuasarRAT](https://attack.mitre.org/software/S0262). [KOCTOPUS](https://attack.mitre.org/software/S0669) also has a VBA variant that has the same functionality as the batch version.(Citation: MalwareBytes LazyScripter Feb 2021)", "meta": { "external_id": "S0669", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0669", "https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" ], "synonyms": [ "KOCTOPUS" ] }, "related": [ { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "df9b350b-d4f9-4e79-a826-75cc75fbc1eb", "value": "KOCTOPUS - S0669" }, { "description": "[Flagpro](https://attack.mitre.org/software/S0696) is a Windows-based, first-stage downloader that has been used by [BlackTech](https://attack.mitre.org/groups/G0098) since at least October 2020. It has primarily been used against defense, media, and communications companies in Japan.(Citation: NTT Security Flagpro new December 2021) ", "meta": { "external_id": "S0696", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0696", "https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech" ], "synonyms": [ "Flagpro" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "592260fb-dd5c-4a30-8d99-106a0485be0d", "value": "Flagpro - S0696" }, { "description": "[Torisma](https://attack.mitre.org/software/S0678) is a second stage implant designed for specialized monitoring that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032). [Torisma](https://attack.mitre.org/software/S0678) was discovered during an investigation into the 2020 Operation North Star campaign that targeted the defense sector.(Citation: McAfee Lazarus Nov 2020)", "meta": { "external_id": "S0678", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0678", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/" ], "synonyms": [ "Torisma" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "0715560d-4299-4e84-9e20-6e80ab57e4f2", "value": "Torisma - S0678" }, { "description": "[Ferocious](https://attack.mitre.org/software/S0679) is a first stage implant composed of VBS and PowerShell scripts that has been used by [WIRTE](https://attack.mitre.org/groups/G0090) since at least 2021.(Citation: Kaspersky WIRTE November 2021)", "meta": { "external_id": "S0679", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0679", "https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044" ], "synonyms": [ "Ferocious" ] }, "related": [ { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" } ], "uuid": "73d08401-005f-4e1f-90b9-8f45d120879f", "value": "Ferocious - S0679" }, { "description": "[HermeticWiper](https://attack.mitre.org/software/S0697) is a data wiper that has been used since at least early 2022, primarily against Ukraine with additional activity observed in Latvia and Lithuania. Some sectors targeted include government, financial, defense, aviation, and IT services.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Symantec Ukraine Wipers February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wiper February 2022)(Citation: Qualys Hermetic Wiper March 2022)", "meta": { "external_id": "S0697", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0697", "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia", "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a", "https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/", "https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine", "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack", "https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine" ], "synonyms": [ "HermeticWiper", "Trojan.Killdisk", "DriveSlayer" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", "type": "uses" }, { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" }, { "dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac", "type": "uses" }, { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "type": "uses" } ], "uuid": "a0ab8a96-40c9-4483-8a54-3fafa6d6007a", "value": "HermeticWiper - S0697" }, { "description": "[Meteor](https://attack.mitre.org/software/S0688) is a wiper that was used against Iranian government organizations, including Iranian Railways, the Ministry of Roads, and Urban Development systems, in July 2021. [Meteor](https://attack.mitre.org/software/S0688) is likely a newer version of similar wipers called Stardust and Comet that were reportedly used by a group called \"Indra\" since at least 2019 against private companies in Syria.(Citation: Check Point Meteor Aug 2021)", "meta": { "external_id": "S0688", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0688", "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/" ], "synonyms": [ "Meteor" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "d79e7a60-5de9-448e-a074-f95d2d80f8d0", "value": "Meteor - S0688" }, { "description": "[WhisperGate](https://attack.mitre.org/software/S0689) is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.(Citation: Cybereason WhisperGate February 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Microsoft WhisperGate January 2022)", "meta": { "external_id": "S0689", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0689", "https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/#whispergate-malware-family", "https://www.cybereason.com/blog/cybereason-vs.-whispergate-wiper", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/" ], "synonyms": [ "WhisperGate" ] }, "related": [ { "dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2cd950a6-16c4-404a-aa01-044322395107", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", "type": "uses" }, { "dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0", "type": "uses" }, { "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac", "type": "uses" }, { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "type": "uses" } ], "uuid": "49fee0b0-390e-4bde-97f8-97ed46bd19b7", "value": "WhisperGate - S0689" }, { "description": "[HermeticWizard](https://attack.mitre.org/software/S0698) is a worm that has been used to spread [HermeticWiper](https://attack.mitre.org/software/S0697) in attacks against organizations in Ukraine since at least 2022.(Citation: ESET Hermetic Wizard March 2022)", "meta": { "external_id": "S0698", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S0698", "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine" ], "synonyms": [ "HermeticWizard" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" } ], "uuid": "ff7ed9c1-dca3-4e62-9da6-72c5d388b8fa", "value": "HermeticWizard - S0698" }, { "description": "[DarkGate](https://attack.mitre.org/software/S1111) first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named \"DarkGate\" by its author, [DarkGate](https://attack.mitre.org/software/S1111) is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.(Citation: Ensilo Darkgate 2018) DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.(Citation: Trellix Darkgate 2023)", "meta": { "external_id": "S1111", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1111", "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign", "https://www.trellix.com/blogs/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/" ], "synonyms": [ "DarkGate" ] }, "related": [ { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0c2d00da-7742-49e7-9928-4514e5075d32", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3a32740a-11b0-4bcf-b0a9-3abd0f6d3cd5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "851e071f-208d-4c79-adc6-5974c85c78f3", "type": "uses" }, { "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "type": "uses" }, { "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "type": "uses" }, { "dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb897572-8979-4242-a089-56f294f4c91d", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "6f6f67c9-556d-4459-95c2-78d272190e52", "value": "DarkGate - S1111" }, { "description": "[STEADYPULSE](https://attack.mitre.org/software/S1112) is a web shell that infects targeted Pulse Secure VPN servers through modification of a legitimate Perl script that was used as early as 2020 including in activity against US Defense Industrial Base (DIB) entities.(Citation: Mandiant Pulse Secure Zero-Day April 2021)", "meta": { "external_id": "S1112", "mitre_platforms": [ "Network" ], "refs": [ "https://attack.mitre.org/software/S1112", "https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day" ], "synonyms": [ "STEADYPULSE" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "ca0fead6-5277-427a-825b-42ff1fbe476e", "value": "STEADYPULSE - S1112" }, { "description": "[RAPIDPULSE](https://attack.mitre.org/software/S1113) is a web shell that exists as a modification to a legitimate Pulse Secure file that has been used by [APT5](https://attack.mitre.org/groups/G1023) since at least 2021.(Citation: Mandiant Pulse Secure Update May 2021)", "meta": { "external_id": "S1113", "mitre_platforms": [ "Network", "Linux" ], "refs": [ "https://attack.mitre.org/software/S1113", "https://www.mandiant.com/resources/blog/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices" ], "synonyms": [ "RAPIDPULSE" ] }, "related": [ { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" } ], "uuid": "880f7b3e-ad27-4158-8b03-d44c9357950b", "value": "RAPIDPULSE - S1113" }, { "description": "[ZIPLINE](https://attack.mitre.org/software/S1114) is a passive backdoor that was used during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) on compromised Secure Connect VPNs for reverse shell and proxy functionality.(Citation: Mandiant Cutting Edge January 2024)", "meta": { "external_id": "S1114", "mitre_platforms": [ "Network" ], "refs": [ "https://attack.mitre.org/software/S1114", "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day" ], "synonyms": [ "ZIPLINE" ] }, "related": [ { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "d9765cbd-4c88-4805-ba98-4c6ccb56b864", "value": "ZIPLINE - S1114" }, { "description": "[WIREFIRE](https://attack.mitre.org/software/S1115) is a web shell written in Python that exists as trojanized logic to the visits.py component of Ivanti Connect Secure VPN appliances. [WIREFIRE](https://attack.mitre.org/software/S1115) was used during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) for downloading files and command execution.(Citation: Mandiant Cutting Edge January 2024)", "meta": { "external_id": "S1115", "mitre_platforms": [ "Network" ], "refs": [ "https://attack.mitre.org/software/S1115", "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day", "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/" ], "synonyms": [ "WIREFIRE", "GIFTEDVISITOR" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "c93e3079-43fb-4d8d-9e99-db63d07eadc9", "value": "WIREFIRE - S1115" }, { "description": "[WARPWIRE](https://attack.mitre.org/software/S1116) is a Javascript credential stealer that targets plaintext passwords and usernames for exfiltration that was used during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) to target Ivanti Connect Secure VPNs.(Citation: Mandiant Cutting Edge January 2024)(Citation: Mandiant Cutting Edge Part 2 January 2024)", "meta": { "external_id": "S1116", "mitre_platforms": [ "Network" ], "refs": [ "https://attack.mitre.org/software/S1116", "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation", "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day" ], "synonyms": [ "WARPWIRE" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e", "type": "uses" }, { "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" } ], "uuid": "a5818d36-e9b0-46da-842d-b727a5e36ea6", "value": "WARPWIRE - S1116" }, { "description": "[GLASSTOKEN](https://attack.mitre.org/software/S1117) is a custom web shell used by threat actors during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) to execute commands on compromised Ivanti Secure Connect VPNs.(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)", "meta": { "external_id": "S1117", "mitre_platforms": [ "Network" ], "refs": [ "https://attack.mitre.org/software/S1117", "https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/" ], "synonyms": [ "GLASSTOKEN" ] }, "related": [ { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" } ], "uuid": "554e010d-726b-439d-9a1a-f60fff0cc109", "value": "GLASSTOKEN - S1117" }, { "description": "[BUSHWALK](https://attack.mitre.org/software/S1118) is a web shell written in Perl that was inserted into the legitimate querymanifest.cgi file on compromised Ivanti Connect Secure VPNs during [Cutting Edge](https://attack.mitre.org/campaigns/C0029).(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Mandiant Cutting Edge Part 3 February 2024)", "meta": { "external_id": "S1118", "mitre_platforms": [ "Network" ], "refs": [ "https://attack.mitre.org/software/S1118", "https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence", "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" ], "synonyms": [ "BUSHWALK" ] }, "related": [ { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "29a0bb87-1162-4c83-9834-2a98a876051b", "value": "BUSHWALK - S1118" }, { "description": "[LIGHTWIRE](https://attack.mitre.org/software/S1119) is a web shell written in Perl that was used during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) to maintain access and enable command execution by imbedding into the legitimate compcheckresult.cgi component of Ivanti Secure Connect VPNs.(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Mandiant Cutting Edge January 2024)", "meta": { "external_id": "S1119", "mitre_platforms": [ "Network" ], "refs": [ "https://attack.mitre.org/software/S1119", "https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation", "https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day" ], "synonyms": [ "LIGHTWIRE" ] }, "related": [ { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "5dc9e8ec-9917-4de7-b8ab-16007899dd80", "value": "LIGHTWIRE - S1119" }, { "description": "[Mispadu](https://attack.mitre.org/software/S1122) is a banking trojan written in Delphi that was first observed in 2019 and uses a Malware-as-a-Service (MaaS) business model.(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: SCILabs Malteiro 2021) This malware is operated, managed, and sold by the [Malteiro](https://attack.mitre.org/groups/G1026) cybercriminal group.(Citation: SCILabs Malteiro 2021) [Mispadu](https://attack.mitre.org/software/S1122) has mainly been used to target victims in Brazil and Mexico, and has also had confirmed operations throughout Latin America and Europe.(Citation: SCILabs Malteiro 2021)(Citation: SCILabs URSA/Mispadu Evolution 2023)(Citation: Segurança Informática URSA Sophisticated Loader 2020) ", "meta": { "external_id": "S1122", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1122", "https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/", "https://blog.scilabs.mx/en/evolution-of-banking-trojan-ursa-mispadu/", "https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/", "https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/" ], "synonyms": [ "Mispadu" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, { "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" } ], "uuid": "4e6464d2-69df-4e56-8d4c-1973f84d7b80", "value": "Mispadu - S1122" }, { "description": "[PITSTOP](https://attack.mitre.org/software/S1123) is a backdoor that was deployed on compromised Ivanti Connect Secure VPNs during [Cutting Edge](https://attack.mitre.org/campaigns/C0029) to enable command execution and file read/write.(Citation: Mandiant Cutting Edge Part 3 February 2024)", "meta": { "external_id": "S1123", "mitre_platforms": [ "Network" ], "refs": [ "https://attack.mitre.org/software/S1123", "https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence" ], "synonyms": [ "PITSTOP" ] }, "related": [ { "dest-uuid": "005cc321-08ce-4d17-b1ea-cb5275926520", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" } ], "uuid": "d79b1800-3b5d-4a4f-8863-8251eca793e2", "value": "PITSTOP - S1123" }, { "description": "[SocGholish](https://attack.mitre.org/software/S1124) is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily through drive-by-downloads masquerading as software updates. SocGholish is operated by [Mustard Tempest](https://attack.mitre.org/groups/G1020) and its access has been sold to groups including [Indrik Spider](https://attack.mitre.org/groups/G0119) for downloading secondary RAT and ransomware payloads.(Citation: SentinelOne SocGholish Infrastructure November 2022)(Citation: SocGholish-update)(Citation: Red Canary SocGholish March 2024)(Citation: Secureworks Gold Prelude Profile) ", "meta": { "external_id": "S1124", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1124", "https://redcanary.com/threat-detection-report/threats/socgholish/", "https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update", "https://www.secureworks.com/research/threat-profiles/gold-prelude", "https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/" ], "synonyms": [ "SocGholish", "FakeUpdates" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0d91b3c0-5e50-47c3-949a-2a796f04d144", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" } ], "uuid": "5911d2ca-64f6-49b3-b94f-29b5d185085c", "value": "SocGholish - S1124" }, { "description": "[AcidRain](https://attack.mitre.org/software/S1125) is an ELF binary targeting modems and routers using MIPS architecture.(Citation: AcidRain JAGS 2022) [AcidRain](https://attack.mitre.org/software/S1125) is associated with the ViaSat KA-SAT communication outage that took place during the initial phases of the 2022 full-scale invasion of Ukraine. Analysis indicates overlap with another network device-targeting malware, VPNFilter, associated with [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: AcidRain JAGS 2022) US and European government sources linked [AcidRain](https://attack.mitre.org/software/S1125) to Russian government entities, while Ukrainian government sources linked [AcidRain](https://attack.mitre.org/software/S1125) specifically to [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: AcidRain State Department 2022)(Citation: Vincens AcidPour 2024)", "meta": { "external_id": "S1125", "mitre_platforms": [ "Network", "Linux" ], "refs": [ "https://attack.mitre.org/software/S1125", "https://cyberscoop.com/viasat-malware-wiper-acidrain/", "https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/", "https://www.state.gov/attribution-of-russias-malicious-cyber-activity-against-ukraine/" ], "synonyms": [ "AcidRain" ] }, "related": [ { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" }, { "dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac", "type": "uses" }, { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "type": "uses" } ], "uuid": "04cecafd-cb5f-4daf-aa1f-73899116c4a2", "value": "AcidRain - S1125" }, { "description": "[Phenakite](https://attack.mitre.org/software/S1126) is a mobile malware that is used by [APT-C-23](https://attack.mitre.org/groups/G1028) to target iOS devices. According to several reports, [Phenakite](https://attack.mitre.org/software/S1126) was developed to fill a tooling gap and to target those who owned iPhones instead of Windows desktops or Android phones.(Citation: sentinelone_israel_hamas_war)(Citation: fb_arid_viper)", "meta": { "external_id": "S1126", "mitre_platforms": [ "iOS" ], "refs": [ "https://attack.mitre.org/software/S1126", "https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf", "https://web.archive.org/web/20240208234008/www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/" ], "synonyms": [ "Phenakite" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "type": "uses" }, { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" } ], "uuid": "f97e2718-af50-41df-811f-215ebab45691", "value": "Phenakite - S1126" }, { "description": "[HilalRAT](https://attack.mitre.org/software/S1128) is a remote access-capable Android malware, developed and used by [UNC788](https://attack.mitre.org/groups/G1029).(Citation: Meta Adversarial Threat Report 2022) [HilalRAT](https://attack.mitre.org/software/S1128) is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as activating a device's camera and microphone.(Citation: Meta Adversarial Threat Report 2022) ", "meta": { "external_id": "S1128", "mitre_platforms": [ "Android" ], "refs": [ "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf", "https://attack.mitre.org/software/S1128" ], "synonyms": [ "HilalRAT" ] }, "related": [ { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" } ], "uuid": "55714f87-6178-4b89-b3e5-d3a643f647ca", "value": "HilalRAT - S1128" }, { "description": "[Akira](https://attack.mitre.org/software/S1129) ransomware, written in C++, is most prominently (but not exclusively) associated with the a ransomware-as-a-service entity [Akira](https://attack.mitre.org/groups/G1024).(Citation: Kersten Akira 2023)", "meta": { "external_id": "S1129", "mitre_platforms": [ "Windows" ], "refs": [ "https://attack.mitre.org/software/S1129", "https://www.trellix.com/blogs/research/akira-ransomware/" ], "synonyms": [ "Akira" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" } ], "uuid": "6f6b2353-4b39-40ce-9d6d-d00b7a61e656", "value": "Akira - S1129" } ], "version": 34 }