mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-22 23:07:19 +00:00
54017 lines
No EOL
1.6 MiB
54017 lines
No EOL
1.6 MiB
{
|
|
"authors": [
|
|
"MITRE"
|
|
],
|
|
"category": "tool",
|
|
"description": "Name of ATT&CK software",
|
|
"name": "Malware",
|
|
"source": "https://github.com/mitre/cti",
|
|
"type": "mitre-malware",
|
|
"uuid": "d752161c-78f6-11e7-a0ea-bfa79b407ce4",
|
|
"values": [
|
|
{
|
|
"description": "[Hacking Team UEFI Rootkit](https://attack.mitre.org/software/S0047) is a rootkit developed by the company Hacking Team as a method of persistence for remote access software. (Citation: TrendMicro Hacking Team UEFI)",
|
|
"meta": {
|
|
"external_id": "S0047",
|
|
"refs": [
|
|
"http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/",
|
|
"https://attack.mitre.org/software/S0047"
|
|
],
|
|
"synonyms": [
|
|
"Hacking Team UEFI Rootkit"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8",
|
|
"value": "Hacking Team UEFI Rootkit - S0047"
|
|
},
|
|
{
|
|
"description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the [CHOPSTICK](https://attack.mitre.org/software/S0023).",
|
|
"meta": {
|
|
"external_id": "S0314",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0314",
|
|
"https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0a32ceea-fa66-47ab-8bde-150dbd6d2e40",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3e2c99f9-66cd-48be-86e9-d7c1c164d87c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "0a32ceea-fa66-47ab-8bde-150dbd6d2e40",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "3e2c99f9-66cd-48be-86e9-d7c1c164d87c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "56660521-6db4-4e5a-a927-464f22954b7c",
|
|
"value": "X-Agent for Android - S0314"
|
|
},
|
|
{
|
|
"description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) is a banking trojan that masquerades as a VPN client.(Citation: Sophos Red Alert 2.0) ",
|
|
"meta": {
|
|
"external_id": "S0539",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0539",
|
|
"https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"
|
|
],
|
|
"synonyms": [
|
|
"Red Alert 2.0"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "948a447c-d783-4ba0-8516-a64140fcacd5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "986f80f7-ff0e-4f48-87bd-0394814bbce5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "6e282bbf-5f32-476a-b879-ba77eec463c8",
|
|
"value": "Red Alert 2.0 - S0539"
|
|
},
|
|
{
|
|
"description": "[Exaramel for Linux](https://attack.mitre.org/software/S0401) is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under [Exaramel for Windows](https://attack.mitre.org/software/S0343).(Citation: ESET TeleBots Oct 2018)",
|
|
"meta": {
|
|
"external_id": "S0401",
|
|
"mitre_platforms": [
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0401",
|
|
"https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/"
|
|
],
|
|
"synonyms": [
|
|
"Exaramel for Linux"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "11194d8b-fdce-45d2-8047-df15bb8f16bd",
|
|
"value": "Exaramel for Linux - S0401"
|
|
},
|
|
{
|
|
"description": "[Winnti for Linux](https://attack.mitre.org/software/S0430) is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including [Winnti Group](https://attack.mitre.org/groups/G0044). The Windows variant is tracked separately under [Winnti for Windows](https://attack.mitre.org/software/S0141).(Citation: Chronicle Winnti for Linux May 2019)",
|
|
"meta": {
|
|
"external_id": "S0430",
|
|
"mitre_platforms": [
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0430",
|
|
"https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a"
|
|
],
|
|
"synonyms": [
|
|
"Winnti for Linux"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8787e86d-8475-4f13-acea-d33eb83b6105",
|
|
"value": "Winnti for Linux - S0430"
|
|
},
|
|
{
|
|
"description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) is a malicious iOS application that is capable of gathering system information.(Citation: TrendMicro-XLoader-FakeSpy) It is tracked separately from the [XLoader for Android](https://attack.mitre.org/software/S0318).",
|
|
"meta": {
|
|
"external_id": "S0490",
|
|
"mitre_platforms": [
|
|
"iOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0490",
|
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/"
|
|
],
|
|
"synonyms": [
|
|
"XLoader for iOS"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "29944858-da52-4d3d-b428-f8a6eb8dde6f",
|
|
"value": "XLoader for iOS - S0490"
|
|
},
|
|
{
|
|
"description": "[Winnti for Windows](https://attack.mitre.org/software/S0141) is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: Kaspersky Winnti April 2013)(Citation: Microsoft Winnti Jan 2017)(Citation: Novetta Winnti April 2015)(Citation: 401 TRG Winnti Umbrella May 2018). The Linux variant is tracked separately under [Winnti for Linux](https://attack.mitre.org/software/S0430).(Citation: Chronicle Winnti for Linux May 2019)",
|
|
"meta": {
|
|
"external_id": "S0141",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://401trg.github.io/pages/burning-umbrella.html",
|
|
"https://attack.mitre.org/software/S0141",
|
|
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/",
|
|
"https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a",
|
|
"https://securelist.com/winnti-more-than-just-a-game/37029/",
|
|
"https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Winnti for Windows"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9b3a4cff-1c5a-4fd6-b49c-27240b6d622c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f244b8dd-af6c-4391-a497-fc03627ce995",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9b3a4cff-1c5a-4fd6-b49c-27240b6d622c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "d3afa961-a80c-4043-9509-282cdf69ab21",
|
|
"value": "Winnti for Windows - S0141"
|
|
},
|
|
{
|
|
"description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) is the Android version of malware that has reportedly been linked to the NSO Group. (Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor) The iOS version is tracked separately under [Pegasus for iOS](https://attack.mitre.org/software/S0289).",
|
|
"meta": {
|
|
"external_id": "S0316",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html",
|
|
"https://attack.mitre.org/software/S0316",
|
|
"https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
|
|
],
|
|
"synonyms": [
|
|
"Pegasus for Android",
|
|
"Chrysaor"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9d7c772b-43f1-49cf-bc70-7a7cd2ed34c8",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "a9fa0d30-a8ff-45bf-922e-7720da0b7922",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9d7c772b-43f1-49cf-bc70-7a7cd2ed34c8",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "93799a9d-3537-43d8-b6f4-17215de1657c",
|
|
"value": "Pegasus for Android - S0316"
|
|
},
|
|
{
|
|
"description": "[XLoader for Android](https://attack.mitre.org/software/S0318) is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.(Citation: TrendMicro-XLoader-FakeSpy)(Citation: TrendMicro-XLoader) It is tracked separately from the [XLoader for iOS](https://attack.mitre.org/software/S0490).",
|
|
"meta": {
|
|
"external_id": "S0318",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0318",
|
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/",
|
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"
|
|
],
|
|
"synonyms": [
|
|
"XLoader for Android"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "986f80f7-ff0e-4f48-87bd-0394814bbce5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "2740eaf6-2db2-4a40-a63f-f5b166c7059c",
|
|
"value": "XLoader for Android - S0318"
|
|
},
|
|
{
|
|
"description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims. (Citation: Lookout-Pegasus) (Citation: PegasusCitizenLab) The Android version is tracked separately under [Pegasus for Android](https://attack.mitre.org/software/S0316).",
|
|
"meta": {
|
|
"external_id": "S0289",
|
|
"mitre_platforms": [
|
|
"iOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0289",
|
|
"https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/",
|
|
"https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Pegasus for iOS"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "5abfc5e6-3c56-49e7-ad72-502d01acf28b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9d7c772b-43f1-49cf-bc70-7a7cd2ed34c8",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9d7c772b-43f1-49cf-bc70-7a7cd2ed34c8",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a",
|
|
"value": "Pegasus for iOS - S0289"
|
|
},
|
|
{
|
|
"description": "[Exaramel for Windows](https://attack.mitre.org/software/S0343) is a backdoor used for targeting Windows systems. The Linux version is tracked separately under [Exaramel for Linux](https://attack.mitre.org/software/S0401).(Citation: ESET TeleBots Oct 2018)",
|
|
"meta": {
|
|
"external_id": "S0343",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0343",
|
|
"https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/"
|
|
],
|
|
"synonyms": [
|
|
"Exaramel for Windows"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "051eaca1-958f-4091-9e5f-a9acd8f820b5",
|
|
"value": "Exaramel for Windows - S0343"
|
|
},
|
|
{
|
|
"description": "[P.A.S. Webshell](https://attack.mitre.org/software/S0598) is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.(Citation: ANSSI Sandworm January 2021)",
|
|
"meta": {
|
|
"external_id": "S0598",
|
|
"mitre_platforms": [
|
|
"Linux",
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0598",
|
|
"https://us-cert.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf",
|
|
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf"
|
|
],
|
|
"synonyms": [
|
|
"P.A.S. Webshell",
|
|
"Fobushell"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4800d0f9-00aa-47cd-a4d2-92198585b8fd",
|
|
"value": "P.A.S. Webshell - S0598"
|
|
},
|
|
{
|
|
"description": "[gh0st RAT](https://attack.mitre.org/software/S0032) is a remote access tool (RAT). The source code is public and it has been used by multiple groups.(Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb 2018)(Citation: Nccgroup Gh0st April 2018)",
|
|
"meta": {
|
|
"external_id": "S0032",
|
|
"mitre_platforms": [
|
|
"Windows",
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0032",
|
|
"https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/",
|
|
"https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf",
|
|
"https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/",
|
|
"https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html"
|
|
],
|
|
"synonyms": [
|
|
"gh0st RAT",
|
|
"Mydoor",
|
|
"Moudoor"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b1ae63f-bcee-4aba-8994-6c60cee5e16f",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29ba5a15-3b7b-4732-b817-65ea8f6468e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b1ae63f-bcee-4aba-8994-6c60cee5e16f",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24",
|
|
"value": "gh0st RAT - S0032"
|
|
},
|
|
{
|
|
"description": "[China Chopper](https://attack.mitre.org/software/S0020) is a [Web Shell](https://attack.mitre.org/techniques/T1505/003) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.(Citation: Lee 2013) It has been used by several threat groups.(Citation: Dell TG-3390)(Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)(Citation: Rapid7 HAFNIUM Mar 2021)",
|
|
"meta": {
|
|
"external_id": "S0020",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0020",
|
|
"https://us-cert.cisa.gov/ncas/alerts/aa21-200a",
|
|
"https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html",
|
|
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html",
|
|
"https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/",
|
|
"https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage"
|
|
],
|
|
"synonyms": [
|
|
"China Chopper"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70",
|
|
"value": "China Chopper - S0020"
|
|
},
|
|
{
|
|
"description": "[Skeleton Key](https://attack.mitre.org/software/S0007) is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password. (Citation: Dell Skeleton) Functionality similar to [Skeleton Key](https://attack.mitre.org/software/S0007) is included as a module in [Mimikatz](https://attack.mitre.org/software/S0002).",
|
|
"meta": {
|
|
"external_id": "S0007",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0007",
|
|
"https://www.secureworks.com/research/skeleton-key-malware-analysis"
|
|
],
|
|
"synonyms": [
|
|
"Skeleton Key"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "d4b96d2c-1032-4b22-9235-2b5b649d0605",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "89f63ae4-f229-4a5c-95ad-6f22ed2b5c49",
|
|
"value": "Skeleton Key - S0007"
|
|
},
|
|
{
|
|
"description": "[P2P ZeuS](https://attack.mitre.org/software/S0016) is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture. (Citation: Dell P2P ZeuS)",
|
|
"meta": {
|
|
"external_id": "S0016",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover_ZeuS/",
|
|
"https://attack.mitre.org/software/S0016"
|
|
],
|
|
"synonyms": [
|
|
"P2P ZeuS",
|
|
"Peer-to-Peer ZeuS",
|
|
"Gameover ZeuS"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b2c5d3ca-b43a-4888-ad8d-e2d43497bf85",
|
|
"value": "P2P ZeuS - S0016"
|
|
},
|
|
{
|
|
"description": "[Unknown Logger](https://attack.mitre.org/software/S0130) is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign. (Citation: Forcepoint Monsoon)",
|
|
"meta": {
|
|
"external_id": "S0130",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0130",
|
|
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Unknown Logger"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56",
|
|
"value": "Unknown Logger - S0130"
|
|
},
|
|
{
|
|
"description": "[Black Basta](https://attack.mitre.org/software/S1070) is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. [Black Basta](https://attack.mitre.org/software/S1070) operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. [Black Basta](https://attack.mitre.org/software/S1070) affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the [Black Basta](https://attack.mitre.org/software/S1070) RaaS operators could include current or former members of the [Conti](https://attack.mitre.org/software/S0575) group.(Citation: Palo Alto Networks Black Basta August 2022)(Citation: Deep Instinct Black Basta August 2022)(Citation: Minerva Labs Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Cyble Black Basta May 2022)",
|
|
"meta": {
|
|
"external_id": "S1070",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1070",
|
|
"https://blog.cyble.com/2022/05/06/black-basta-ransomware/",
|
|
"https://minerva-labs.com/blog/new-black-basta-ransomware-hijacks-windows-fax-service/",
|
|
"https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
|
|
"https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware",
|
|
"https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware",
|
|
"https://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence"
|
|
],
|
|
"synonyms": [
|
|
"Black Basta"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "28170e17-8384-415c-8486-2e6b294cb803",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8d242fb4-9033-4f13-8a88-4b9b4bcd9a53",
|
|
"value": "Black Basta - S1070"
|
|
},
|
|
{
|
|
"description": "[Cherry Picker](https://attack.mitre.org/software/S0107) is a point of sale (PoS) memory scraper. (Citation: Trustwave Cherry Picker)",
|
|
"meta": {
|
|
"external_id": "S0107",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0107",
|
|
"https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/"
|
|
],
|
|
"synonyms": [
|
|
"Cherry Picker"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe",
|
|
"value": "Cherry Picker - S0107"
|
|
},
|
|
{
|
|
"description": "[Zeus Panda](https://attack.mitre.org/software/S0330) is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. [Zeus Panda](https://attack.mitre.org/software/S0330)\u2019s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)",
|
|
"meta": {
|
|
"external_id": "S0330",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0330",
|
|
"https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html#More",
|
|
"https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Zeus Panda"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "198db886-47af-4f4c-bff5-11b891f85946",
|
|
"value": "Zeus Panda - S0330"
|
|
},
|
|
{
|
|
"description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) (Remote Access Trojan) is a family of malicious Android apps. The [SpyNote RAT](https://attack.mitre.org/software/S0305) builder tool can be used to develop malicious apps with the malware's functionality. (Citation: Zscaler-SpyNote)",
|
|
"meta": {
|
|
"external_id": "S0305",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0305",
|
|
"https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
|
|
],
|
|
"synonyms": [
|
|
"SpyNote RAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23",
|
|
"value": "SpyNote RAT - S0305"
|
|
},
|
|
{
|
|
"description": "[3PARA RAT](https://attack.mitre.org/software/S0066) is a remote access tool (RAT) programmed in C++ that has been used by [Putter Panda](https://attack.mitre.org/groups/G0024). (Citation: CrowdStrike Putter Panda)",
|
|
"meta": {
|
|
"external_id": "S0066",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf",
|
|
"https://attack.mitre.org/software/S0066"
|
|
],
|
|
"synonyms": [
|
|
"3PARA RAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "59fb0222-0e7d-4f5f-92ac-e68012fb927d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "59fb0222-0e7d-4f5f-92ac-e68012fb927d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a",
|
|
"value": "3PARA RAT - S0066"
|
|
},
|
|
{
|
|
"description": "[Agent Smith](https://attack.mitre.org/software/S0440) is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 [Agent Smith](https://attack.mitre.org/software/S0440) had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.(Citation: CheckPoint Agent Smith)",
|
|
"meta": {
|
|
"external_id": "S0440",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0440",
|
|
"https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/"
|
|
],
|
|
"synonyms": [
|
|
"Agent Smith"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d3bc5020-f6a2-41c0-8ccb-5e563101b60c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fa801609-ca8e-415e-815e-65f3826ff4df",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a6228601-03f6-4949-ae22-c1087627a637",
|
|
"value": "Agent Smith - S0440"
|
|
},
|
|
{
|
|
"description": "[4H RAT](https://attack.mitre.org/software/S0065) is malware that has been used by [Putter Panda](https://attack.mitre.org/groups/G0024) since at least 2007. (Citation: CrowdStrike Putter Panda)",
|
|
"meta": {
|
|
"external_id": "S0065",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf",
|
|
"https://attack.mitre.org/software/S0065"
|
|
],
|
|
"synonyms": [
|
|
"4H RAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8aad68d-a68f-42e1-b755-d5f383b73401",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8aad68d-a68f-42e1-b755-d5f383b73401",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc",
|
|
"value": "4H RAT - S0065"
|
|
},
|
|
{
|
|
"description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. [Desert Scorpion](https://attack.mitre.org/software/S0505) is suspected to have been operated by the threat actor APT-C-23.(Citation: Lookout Desert Scorpion) ",
|
|
"meta": {
|
|
"external_id": "S0505",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0505",
|
|
"https://blog.lookout.com/desert-scorpion-google-play"
|
|
],
|
|
"synonyms": [
|
|
"Desert Scorpion"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "3271c107-92c4-442e-9506-e76d62230ee8",
|
|
"value": "Desert Scorpion - S0505"
|
|
},
|
|
{
|
|
"description": "[Net Crawler](https://attack.mitre.org/software/S0056) is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using [PsExec](https://attack.mitre.org/software/S0029) to execute a copy of [Net Crawler](https://attack.mitre.org/software/S0056). (Citation: Cylance Cleaver)",
|
|
"meta": {
|
|
"external_id": "S0056",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0056",
|
|
"https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Net Crawler",
|
|
"NetC"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0bc03bfa-1439-4162-bb33-ec9f8f952ee5",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0bc03bfa-1439-4162-bb33-ec9f8f952ee5",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704",
|
|
"value": "Net Crawler - S0056"
|
|
},
|
|
{
|
|
"description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. [Bad Rabbit](https://attack.mitre.org/software/S0606) has also targeted organizations and consumers in Russia. (Citation: Secure List Bad Rabbit)(Citation: ESET Bad Rabbit)(Citation: Dragos IT ICS Ransomware) ",
|
|
"meta": {
|
|
"external_id": "S0606",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0606",
|
|
"https://securelist.com/bad-rabbit-ransomware/82851/",
|
|
"https://www.dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/",
|
|
"https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/"
|
|
],
|
|
"synonyms": [
|
|
"Bad Rabbit",
|
|
"Win32/Diskcoder.D"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5bb433e-bdf6-4781-84bc-35e97e43be89",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "2eaa5319-5e1e-4dd7-bbc4-566fced3964a",
|
|
"value": "Bad Rabbit - S0606"
|
|
},
|
|
{
|
|
"description": "[Green Lambert](https://attack.mitre.org/software/S0690) is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of [Green Lambert](https://attack.mitre.org/software/S0690) may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.(Citation: Kaspersky Lamberts Toolkit April 2017)(Citation: Objective See Green Lambert for OSX Oct 2021) ",
|
|
"meta": {
|
|
"external_id": "S0690",
|
|
"mitre_platforms": [
|
|
"Windows",
|
|
"iOS",
|
|
"macOS",
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0690",
|
|
"https://objective-see.com/blog/blog_0x68.html",
|
|
"https://securelist.com/unraveling-the-lamberts-toolkit/77990/"
|
|
],
|
|
"synonyms": [
|
|
"Green Lambert"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1eaebf46-e361-4437-bc23-d5d65a3b92e3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "84601337-6a55-4ad7-9c35-79e0d1ea2ab3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "59c8a28c-200c-4565-9af1-cbdb24870ba0",
|
|
"value": "Green Lambert - S0690"
|
|
},
|
|
{
|
|
"description": "[Saint Bot](https://attack.mitre.org/software/S1018) is a .NET downloader that has been used by [Ember Bear](https://attack.mitre.org/groups/G1003) since at least March 2021.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )",
|
|
"meta": {
|
|
"external_id": "S1018",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1018",
|
|
"https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/",
|
|
"https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2cd950a6-16c4-404a-aa01-044322395107",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "7724581b-06ff-4d2b-b77c-80dc8d53070b",
|
|
"value": "Saint Bot - S1018"
|
|
},
|
|
{
|
|
"description": "[Heyoka Backdoor](https://attack.mitre.org/software/S1027) is a custom backdoor--based on the Heyoka open source exfiltration tool--that has been used by [Aoqin Dragon](https://attack.mitre.org/groups/G1007) since at least 2013.(Citation: SentinelOne Aoqin Dragon June 2022)(Citation: Sourceforge Heyoka 2022) ",
|
|
"meta": {
|
|
"external_id": "S1027",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1027",
|
|
"https://heyoka.sourceforge.net/",
|
|
"https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/"
|
|
],
|
|
"synonyms": [
|
|
"Heyoka Backdoor"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "dff90475-9f72-41a6-84ed-1fbefd3874c0",
|
|
"value": "Heyoka Backdoor - S1027"
|
|
},
|
|
{
|
|
"description": "[Action RAT](https://attack.mitre.org/software/S1028) is a remote access tool written in Delphi that has been used by [SideCopy](https://attack.mitre.org/groups/G1008) since at least December 2021 against Indian and Afghani government personnel.(Citation: MalwareBytes SideCopy Dec 2021)",
|
|
"meta": {
|
|
"external_id": "S1028",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1028",
|
|
"https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure"
|
|
],
|
|
"synonyms": [
|
|
"Action RAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "36801ffb-5c85-4c50-9121-6122e389366d",
|
|
"value": "Action RAT - S1028"
|
|
},
|
|
{
|
|
"description": "[AutoIt backdoor](https://attack.mitre.org/software/S0129) is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. (Citation: Forcepoint Monsoon) This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.",
|
|
"meta": {
|
|
"external_id": "S0129",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0129",
|
|
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
|
|
],
|
|
"synonyms": [
|
|
"AutoIt backdoor"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300",
|
|
"value": "AutoIt backdoor - S0129"
|
|
},
|
|
{
|
|
"description": "[AuTo Stealer](https://attack.mitre.org/software/S1029) is malware written in C++ has been used by [SideCopy](https://attack.mitre.org/groups/G1008) since at least December 2021 to target government agencies and personnel in India and Afghanistan.(Citation: MalwareBytes SideCopy Dec 2021)",
|
|
"meta": {
|
|
"external_id": "S1029",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1029",
|
|
"https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure"
|
|
],
|
|
"synonyms": [
|
|
"AuTo Stealer"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5",
|
|
"value": "AuTo Stealer - S1029"
|
|
},
|
|
{
|
|
"description": "[Agent Tesla](https://attack.mitre.org/software/S0331) is a spyware Trojan written for the .NET framework that has been observed since at least 2014.(Citation: Fortinet Agent Tesla April 2018)(Citation: Bitdefender Agent Tesla April 2020)(Citation: Malwarebytes Agent Tesla April 2020)",
|
|
"meta": {
|
|
"external_id": "S0331",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0331",
|
|
"https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/",
|
|
"https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html",
|
|
"https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/",
|
|
"https://www.digitrustgroup.com/agent-tesla-keylogger/",
|
|
"https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html"
|
|
],
|
|
"synonyms": [
|
|
"Agent Tesla"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "494ab9f0-36e0-4b06-b10d-57285b040a06",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c48a67ee-b657-45c1-91bf-6cdbe27205f8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
|
|
"value": "Agent Tesla - S0331"
|
|
},
|
|
{
|
|
"description": "[Small Sieve](https://attack.mitre.org/software/S1035) is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least January 2022.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: NCSC GCHQ Small Sieve Jan 2022)\n\nSecurity researchers have also noted [Small Sieve](https://attack.mitre.org/software/S1035)'s use by UNC3313, which may be associated with [MuddyWater](https://attack.mitre.org/groups/G0069).(Citation: Mandiant UNC3313 Feb 2022)",
|
|
"meta": {
|
|
"external_id": "S1035",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1035",
|
|
"https://www.cisa.gov/uscert/ncas/alerts/aa22-055a",
|
|
"https://www.mandiant.com/resources/telegram-malware-iranian-espionage",
|
|
"https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Small Sieve",
|
|
"GRAMDOOR"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "ff41b9b6-4c1d-407b-a7e2-835109c8dbc5",
|
|
"value": "Small Sieve - S1035"
|
|
},
|
|
{
|
|
"description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as \u201cadversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors\u201d. Cobalt Strike\u2019s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.(Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: cobaltstrike manual)",
|
|
"meta": {
|
|
"external_id": "S0154",
|
|
"mitre_platforms": [
|
|
"Windows",
|
|
"Linux",
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0154",
|
|
"https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Cobalt Strike"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a7881f21-e978-4fe4-af56-92c9416a2616",
|
|
"value": "Cobalt Strike - S0154"
|
|
},
|
|
{
|
|
"description": "[Ragnar Locker](https://attack.mitre.org/software/S0481) is a ransomware that has been in use since at least December 2019.(Citation: Sophos Ragnar May 2020)(Citation: Cynet Ragnar Apr 2020)",
|
|
"meta": {
|
|
"external_id": "S0481",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0481",
|
|
"https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/",
|
|
"https://www.cynet.com/blog/cynet-detection-report-ragnar-locker-ransomware/"
|
|
],
|
|
"synonyms": [
|
|
"Ragnar Locker"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e69f9836-873a-43d3-92a8-97ab783a4171",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "54895630-efd2-4608-9c24-319de972a9eb",
|
|
"value": "Ragnar Locker - S0481"
|
|
},
|
|
{
|
|
"description": " [Woody RAT](https://attack.mitre.org/software/S1065) is a remote access trojan (RAT) that has been used since at least August 2021 against Russian organizations.(Citation: MalwareBytes WoodyRAT Aug 2022)",
|
|
"meta": {
|
|
"external_id": "S1065",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1065",
|
|
"https://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild"
|
|
],
|
|
"synonyms": [
|
|
"Woody RAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "3bc7e862-5610-4c02-9c48-15b2e2dc1ddb",
|
|
"value": "Woody RAT - S1065"
|
|
},
|
|
{
|
|
"description": "[SYNful Knock](https://attack.mitre.org/software/S0519) is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.(Citation: Mandiant - Synful Knock)(Citation: Cisco Synful Knock Evolution)",
|
|
"meta": {
|
|
"external_id": "S0519",
|
|
"mitre_platforms": [
|
|
"Network"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0519",
|
|
"https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices",
|
|
"https://www.mandiant.com/resources/synful-knock-acis"
|
|
],
|
|
"synonyms": [
|
|
"SYNful Knock"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d245808a-7086-4310-984a-a84aaaa43f8f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fa44a152-ac48-441e-a524-dd7b04b8adcd",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "84c1ecc6-e5a2-4e8a-bf4b-651a618e0053",
|
|
"value": "SYNful Knock - S0519"
|
|
},
|
|
{
|
|
"description": "[Power Loader](https://attack.mitre.org/software/S0177) is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)",
|
|
"meta": {
|
|
"external_id": "S0177",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0177",
|
|
"https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html",
|
|
"https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0042a9f5-f053-4769-b3ef-9ad018dfa298",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "52f3d5a6-8a0f-4f82-977e-750abf90d0b0",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3",
|
|
"value": "Power Loader - S0177"
|
|
},
|
|
{
|
|
"description": "[Brave Prince](https://attack.mitre.org/software/S0252) is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to [Gold Dragon](https://attack.mitre.org/software/S0249), and was seen along with [Gold Dragon](https://attack.mitre.org/software/S0249) and [RunningRAT](https://attack.mitre.org/software/S0253) in operations surrounding the 2018 Pyeongchang Winter Olympics. (Citation: McAfee Gold Dragon)",
|
|
"meta": {
|
|
"external_id": "S0252",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0252",
|
|
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
|
|
],
|
|
"synonyms": [
|
|
"Brave Prince"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "28b97733-ef07-4414-aaa5-df50b2d30cc5",
|
|
"value": "Brave Prince - S0252"
|
|
},
|
|
{
|
|
"description": "[Smoke Loader](https://attack.mitre.org/software/S0226) is a malicious bot application that can be used to load other malware.\n[Smoke Loader](https://attack.mitre.org/software/S0226) has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. (Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018)",
|
|
"meta": {
|
|
"external_id": "S0226",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0226",
|
|
"https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/",
|
|
"https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/"
|
|
],
|
|
"synonyms": [
|
|
"Smoke Loader",
|
|
"Dofoil"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "81f41bae-2ba9-4cec-9613-776be71645ca",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ba91d713-c36e-4d98-9fb7-e16496a69eec",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "81f41bae-2ba9-4cec-9613-776be71645ca",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "ba91d713-c36e-4d98-9fb7-e16496a69eec",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "0c824410-58ff-49b2-9cf2-1c96b182bdf0",
|
|
"value": "Smoke Loader - S0226"
|
|
},
|
|
{
|
|
"description": "[Linux Rabbit](https://attack.mitre.org/software/S0362) is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.(Citation: Anomali Linux Rabbit 2018)\n",
|
|
"meta": {
|
|
"external_id": "S0362",
|
|
"mitre_platforms": [
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0362",
|
|
"https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"
|
|
],
|
|
"synonyms": [
|
|
"Linux Rabbit"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "0efefea5-78da-4022-92bc-d726139e8883",
|
|
"value": "Linux Rabbit - S0362"
|
|
},
|
|
{
|
|
"description": "[Stealth Mango](https://attack.mitre.org/software/S0328) is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as [Tangelo](https://attack.mitre.org/software/S0329) is believed to be from the same developer. (Citation: Lookout-StealthMango)",
|
|
"meta": {
|
|
"external_id": "S0328",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0328",
|
|
"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Stealth Mango"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9558a84e-2d5e-4872-918e-d847494a8ffc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9fa0d30-a8ff-45bf-922e-7720da0b7922",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "085eb36d-697d-4d9a-bac3-96eb879fe73c",
|
|
"value": "Stealth Mango - S0328"
|
|
},
|
|
{
|
|
"description": "[Corona Updates](https://attack.mitre.org/software/S0425) is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.(Citation: TrendMicro Coronavirus Updates)",
|
|
"meta": {
|
|
"external_id": "S0425",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0425",
|
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"
|
|
],
|
|
"synonyms": [
|
|
"Corona Updates",
|
|
"Wabi Music",
|
|
"Concipit1248"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "37047267-3e56-453c-833e-d92b68118120",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "366c800f-97a8-48d5-b0a6-79d00198252a",
|
|
"value": "Corona Updates - S0425"
|
|
},
|
|
{
|
|
"description": "[Gold Dragon](https://attack.mitre.org/software/S0249) is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. [Gold Dragon](https://attack.mitre.org/software/S0249) was used along with [Brave Prince](https://attack.mitre.org/software/S0252) and [RunningRAT](https://attack.mitre.org/software/S0253) in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. (Citation: McAfee Gold Dragon)",
|
|
"meta": {
|
|
"external_id": "S0249",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0249",
|
|
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
|
|
],
|
|
"synonyms": [
|
|
"Gold Dragon"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b9799466-9dd7-4098-b2d6-f999ce50b9a8",
|
|
"value": "Gold Dragon - S0249"
|
|
},
|
|
{
|
|
"description": "[Caterpillar WebShell](https://attack.mitre.org/software/S0572) is a self-developed Web Shell tool created by the group [Volatile Cedar](https://attack.mitre.org/groups/G0123).(Citation: ClearSky Lebanese Cedar Jan 2021) ",
|
|
"meta": {
|
|
"external_id": "S0572",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0572",
|
|
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf",
|
|
"https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Caterpillar WebShell"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "751b77e6-af1f-483b-93fe-eddf17f92a64",
|
|
"value": "Caterpillar WebShell - S0572"
|
|
},
|
|
{
|
|
"description": "[Cobian RAT](https://attack.mitre.org/software/S0338) is a backdoor, remote access tool that has been observed since 2016.(Citation: Zscaler Cobian Aug 2017)",
|
|
"meta": {
|
|
"external_id": "S0338",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0338",
|
|
"https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat"
|
|
],
|
|
"synonyms": [
|
|
"Cobian RAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "aa1462a1-d065-416c-b354-bedd04998c7f",
|
|
"value": "Cobian RAT - S0338"
|
|
},
|
|
{
|
|
"description": "[Cardinal RAT](https://attack.mitre.org/software/S0348) is a potentially low volume remote access trojan (RAT) observed since December 2015. [Cardinal RAT](https://attack.mitre.org/software/S0348) is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.(Citation: PaloAlto CardinalRat Apr 2017)",
|
|
"meta": {
|
|
"external_id": "S0348",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0348",
|
|
"https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/"
|
|
],
|
|
"synonyms": [
|
|
"Cardinal RAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b879758f-bbc4-4cab-b5ba-177ac9b009b4",
|
|
"value": "Cardinal RAT - S0348"
|
|
},
|
|
{
|
|
"description": "[Golden Cup](https://attack.mitre.org/software/S0535) is Android spyware that has been used to target World Cup fans.(Citation: Symantec GoldenCup) ",
|
|
"meta": {
|
|
"external_id": "S0535",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0535",
|
|
"https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"
|
|
],
|
|
"synonyms": [
|
|
"Golden Cup"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f3975cc0-72bc-4308-836e-ac701b83860e",
|
|
"value": "Golden Cup - S0535"
|
|
},
|
|
{
|
|
"description": "[Olympic Destroyer](https://attack.mitre.org/software/S0365) is malware that was used by [Sandworm Team](https://attack.mitre.org/groups/G0034) against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to render infected computer systems inoperable. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. [Olympic Destroyer](https://attack.mitre.org/software/S0365) has worm-like features to spread itself across a computer network in order to maximize its destructive impact.(Citation: Talos Olympic Destroyer 2018)(Citation: US District Court Indictment GRU Unit 74455 October 2020) ",
|
|
"meta": {
|
|
"external_id": "S0365",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0365",
|
|
"https://blog.talosintelligence.com/2018/02/olympic-destroyer.html",
|
|
"https://www.justice.gov/opa/press-release/file/1328521/download"
|
|
],
|
|
"synonyms": [
|
|
"Olympic Destroyer"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "3249e92a-870b-426d-8790-ba311c1abfb4",
|
|
"value": "Olympic Destroyer - S0365"
|
|
},
|
|
{
|
|
"description": "[Revenge RAT](https://attack.mitre.org/software/S0379) is a freely available remote access tool written in .NET (C#).(Citation: Cylance Shaheen Nov 2018)(Citation: Cofense RevengeRAT Feb 2019)",
|
|
"meta": {
|
|
"external_id": "S0379",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0379",
|
|
"https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/",
|
|
"https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517"
|
|
],
|
|
"synonyms": [
|
|
"Revenge RAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "bdb27a1d-1844-42f1-a0c0-826027ae0326",
|
|
"value": "Revenge RAT - S0379"
|
|
},
|
|
{
|
|
"description": "[Rising Sun](https://attack.mitre.org/software/S0448) is a modular backdoor that was used extensively in [Operation Sharpshooter](https://attack.mitre.org/campaigns/C0013) between 2017 and 2019. [Rising Sun](https://attack.mitre.org/software/S0448) infected at least 87 organizations around the world, including nuclear, defense, energy, and financial service companies. Security researchers assessed [Rising Sun](https://attack.mitre.org/software/S0448) included some source code from [Lazarus Group](https://attack.mitre.org/groups/G0032)'s Trojan Duuzer.(Citation: McAfee Sharpshooter December 2018)",
|
|
"meta": {
|
|
"external_id": "S0448",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0448",
|
|
"https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Rising Sun"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "56e6b6c2-e573-4969-8bab-783205cebbbf",
|
|
"value": "Rising Sun - S0448"
|
|
},
|
|
{
|
|
"description": "[JSS Loader](https://attack.mitre.org/software/S0648) is Remote Access Trojan (RAT) with .NET and C++ variants that has been used by [FIN7](https://attack.mitre.org/groups/G0046) since at least 2020.(Citation: eSentire FIN7 July 2021)(Citation: CrowdStrike Carbon Spider August 2021)",
|
|
"meta": {
|
|
"external_id": "S0648",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0648",
|
|
"https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/",
|
|
"https://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc"
|
|
],
|
|
"synonyms": [
|
|
"JSS Loader"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f559f945-eb8b-48b1-904c-68568deebed3",
|
|
"value": "JSS Loader - S0648"
|
|
},
|
|
{
|
|
"description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) is a banking trojan capable of clearing a victim\u2019s bank account or cryptocurrency wallet and taking over email or social media accounts. [DEFENSOR ID](https://attack.mitre.org/software/S0479) performs the majority of its malicious functionality by abusing Android\u2019s accessibility service.(Citation: ESET DEFENSOR ID) ",
|
|
"meta": {
|
|
"external_id": "S0479",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0479",
|
|
"https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/"
|
|
],
|
|
"synonyms": [
|
|
"DEFENSOR ID"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5a5dca4c-03c1-4b99-bfcf-c206e20aa663",
|
|
"value": "DEFENSOR ID - S0479"
|
|
},
|
|
{
|
|
"description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) is spyware that has been masquerading as the TikTok application.(Citation: Zscaler TikTok Spyware)",
|
|
"meta": {
|
|
"external_id": "S0558",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0558",
|
|
"https://www.zscaler.com/blogs/security-research/tiktok-spyware"
|
|
],
|
|
"synonyms": [
|
|
"Tiktok Pro"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "00290ac5-551e-44aa-bbd8-c4b913488a6d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0",
|
|
"value": "Tiktok Pro - S0558"
|
|
},
|
|
{
|
|
"description": "[Cyclops Blink](https://attack.mitre.org/software/S0687) is a modular malware that has been used in widespread campaigns by [Sandworm Team](https://attack.mitre.org/groups/G0034) since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus.(Citation: NCSC Cyclops Blink February 2022)(Citation: NCSC CISA Cyclops Blink Advisory February 2022)(Citation: Trend Micro Cyclops Blink March 2022)",
|
|
"meta": {
|
|
"external_id": "S0687",
|
|
"mitre_platforms": [
|
|
"Network"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0687",
|
|
"https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf",
|
|
"https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter",
|
|
"https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"
|
|
],
|
|
"synonyms": [
|
|
"Cyclops Blink"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "791481f8-e96a-41be-b089-a088763083d4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b350b47f-88fe-4921-8538-6d9c59bac84e",
|
|
"value": "Cyclops Blink - S0687"
|
|
},
|
|
{
|
|
"description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) is Android malware. (Citation: Kaspersky-MobileMalware)",
|
|
"meta": {
|
|
"external_id": "S0306",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0306",
|
|
"https://securelist.com/mobile-malware-evolution-2013/58335/"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "28e39395-91e7-4f02-b694-5e079c964da9",
|
|
"value": "Trojan-SMS.AndroidOS.FakeInst.a - S0306"
|
|
},
|
|
{
|
|
"description": "[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) is Android malware. (Citation: Kaspersky-MobileMalware)",
|
|
"meta": {
|
|
"external_id": "S0307",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0307",
|
|
"https://securelist.com/mobile-malware-evolution-2013/58335/"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a1867c56-8c86-455a-96ad-b0d5f7e2bc17",
|
|
"value": "Trojan-SMS.AndroidOS.Agent.ao - S0307"
|
|
},
|
|
{
|
|
"description": "[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) is Android malware. (Citation: Kaspersky-MobileMalware)",
|
|
"meta": {
|
|
"external_id": "S0308",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0308",
|
|
"https://securelist.com/mobile-malware-evolution-2013/58335/"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "d89c132d-7752-4c7f-9372-954a71522985",
|
|
"value": "Trojan-SMS.AndroidOS.OpFake.a - S0308"
|
|
},
|
|
{
|
|
"description": "[Mis-Type](https://attack.mitre.org/software/S0084) is a backdoor hybrid that was used in [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) by 2012.(Citation: Cylance Dust Storm)",
|
|
"meta": {
|
|
"external_id": "S0084",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0084",
|
|
"https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Mis-Type"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "635cbe30-392d-4e27-978e-66774357c762",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61",
|
|
"value": "Mis-Type - S0084"
|
|
},
|
|
{
|
|
"description": "[S-Type](https://attack.mitre.org/software/S0085) is a backdoor that was used in [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) since at least 2013.(Citation: Cylance Dust Storm)",
|
|
"meta": {
|
|
"external_id": "S0085",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0085",
|
|
"https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"
|
|
],
|
|
"synonyms": [
|
|
"S-Type"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "635cbe30-392d-4e27-978e-66774357c762",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131",
|
|
"value": "S-Type - S0085"
|
|
},
|
|
{
|
|
"description": "[Hi-Zor](https://attack.mitre.org/software/S0087) is a remote access tool (RAT) that has characteristics similar to [Sakula](https://attack.mitre.org/software/S0074). It was used in a campaign named INOCNATION. (Citation: Fidelis Hi-Zor)",
|
|
"meta": {
|
|
"external_id": "S0087",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0087",
|
|
"https://www.fidelissecurity.com/threatgeek/archive/introducing-hi-zor-rat/"
|
|
],
|
|
"synonyms": [
|
|
"Hi-Zor"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d22a3e65-75e5-4970-b424-bdc06ec33dba",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d22a3e65-75e5-4970-b424-bdc06ec33dba",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc",
|
|
"value": "Hi-Zor - S0087"
|
|
},
|
|
{
|
|
"description": "[Miner-C](https://attack.mitre.org/software/S0133) is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread. (Citation: Softpedia MinerC)",
|
|
"meta": {
|
|
"external_id": "S0133",
|
|
"refs": [
|
|
"http://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml",
|
|
"https://attack.mitre.org/software/S0133"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "17dec760-9c8f-4f1b-9b4b-0ac47a453234",
|
|
"value": "Miner-C - S0133"
|
|
},
|
|
{
|
|
"description": "[Seth-Locker](https://attack.mitre.org/software/S0639) is a ransomware with some remote control capabilities that has been in use since at least 2021.\n(Citation: Trend Micro Ransomware February 2021)",
|
|
"meta": {
|
|
"external_id": "S0639",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0639",
|
|
"https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html"
|
|
],
|
|
"synonyms": [
|
|
"Seth-Locker"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f931a0b9-0361-4b1b-bacf-955062c35746",
|
|
"value": "Seth-Locker - S0639"
|
|
},
|
|
{
|
|
"description": "[Aria-body](https://attack.mitre.org/software/S0456) is a custom backdoor that has been used by [Naikon](https://attack.mitre.org/groups/G0019) since approximately 2017.(Citation: CheckPoint Naikon May 2020)",
|
|
"meta": {
|
|
"external_id": "S0456",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0456",
|
|
"https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/"
|
|
],
|
|
"synonyms": [
|
|
"Aria-body"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "3161d76a-e2b2-4b97-9906-24909b735386",
|
|
"value": "Aria-body - S0456"
|
|
},
|
|
{
|
|
"description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. [S.O.V.A.](https://attack.mitre.org/software/S1062), which is Russian for \"owl\", contains features not commonly found in Android malware, such as session cookie theft.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)",
|
|
"meta": {
|
|
"external_id": "S1062",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1062",
|
|
"https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly",
|
|
"https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"
|
|
],
|
|
"synonyms": [
|
|
"S.O.V.A."
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "08e22979-d320-48ed-8711-e7bf94aabb13",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "51636761-2e35-44bf-9e56-e337adf97174",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "74e6003f-c7f4-4047-983b-708cc19b96b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4b53eb01-57d7-47b4-b078-22766b002b36",
|
|
"value": "S.O.V.A. - S1062"
|
|
},
|
|
{
|
|
"description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) is Android malware that was delivered to activist groups via a spearphishing email with an attachment. (Citation: Kaspersky-WUC)",
|
|
"meta": {
|
|
"external_id": "S0304",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0304",
|
|
"https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"
|
|
],
|
|
"synonyms": [
|
|
"Android/Chuli.A"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1f96d624-8409-4472-ad8a-30618ee6b2e2",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533",
|
|
"value": "Android/Chuli.A - S0304"
|
|
},
|
|
{
|
|
"description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) is a variant of a ransomware family targeting Android devices. It prevents the user from interacting with the UI by displaying a screen containing a ransom note over all other windows. (Citation: Microsoft MalLockerB)",
|
|
"meta": {
|
|
"external_id": "S0524",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0524",
|
|
"https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/"
|
|
],
|
|
"synonyms": [
|
|
"AndroidOS/MalLocker.B"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "acf8fd2a-dc98-43b4-8d37-64e10728e591",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce",
|
|
"value": "AndroidOS/MalLocker.B - S0524"
|
|
},
|
|
{
|
|
"description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) is a variant of adware that has been distributed through multiple apps in the Google Play Store. (Citation: WeLiveSecurity AdDisplayAshas)",
|
|
"meta": {
|
|
"external_id": "S0525",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0525",
|
|
"https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/"
|
|
],
|
|
"synonyms": [
|
|
"Android/AdDisplay.Ashas"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f7e7b736-2cff-4c2a-9232-352cd383463a",
|
|
"value": "Android/AdDisplay.Ashas - S0525"
|
|
},
|
|
{
|
|
"description": "[Trojan.Mebromi](https://attack.mitre.org/software/S0001) is BIOS-level malware that takes control of the victim before MBR. (Citation: Ge 2011)",
|
|
"meta": {
|
|
"external_id": "S0001",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.symantec.com/connect/blogs/bios-threat-showing-again",
|
|
"https://attack.mitre.org/software/S0001"
|
|
],
|
|
"synonyms": [
|
|
"Trojan.Mebromi"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c5e9cb46-aced-466c-85ea-7db5572ad9ec",
|
|
"value": "Trojan.Mebromi - S0001"
|
|
},
|
|
{
|
|
"description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) is Android malware that is unique because it uses encrypted content within a blog site for command and control. (Citation: TrendMicro-Anserver)",
|
|
"meta": {
|
|
"external_id": "S0310",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/",
|
|
"https://attack.mitre.org/software/S0310"
|
|
],
|
|
"synonyms": [
|
|
"ANDROIDOS_ANSERVER.A"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "986f80f7-ff0e-4f48-87bd-0394814bbce5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4bf6ba32-4165-42c1-b911-9c36165891c8",
|
|
"value": "ANDROIDOS_ANSERVER.A - S0310"
|
|
},
|
|
{
|
|
"description": "[Agent.btz](https://attack.mitre.org/software/S0092) is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. (Citation: Securelist Agent.btz)",
|
|
"meta": {
|
|
"external_id": "S0092",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0092",
|
|
"https://securelist.com/agent-btz-a-source-of-inspiration/58551/"
|
|
],
|
|
"synonyms": [
|
|
"Agent.btz"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39",
|
|
"value": "Agent.btz - S0092"
|
|
},
|
|
{
|
|
"description": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) is a modular backdoor that used by [Dragonfly](https://attack.mitre.org/groups/G0035) against energy companies since at least 2013. [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)(Citation: Symantec Dragonfly Sept 2017)",
|
|
"meta": {
|
|
"external_id": "S0093",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0093",
|
|
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
|
|
"https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers",
|
|
"https://vblocalhost.com/uploads/VB2021-Slowik.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Backdoor.Oldrea",
|
|
"Havex"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bc31b94-045b-4752-8920-aebaebdb6470",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d7183f66-59ec-4803-be20-237b442259fc",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d7183f66-59ec-4803-be20-237b442259fc",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "083bb47b-02c8-4423-81a2-f9ef58572974",
|
|
"value": "Backdoor.Oldrea - S0093"
|
|
},
|
|
{
|
|
"description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) is a modular remote access tool used for recon and linked to [Dragonfly](https://attack.mitre.org/groups/G0035). The source code for [Trojan.Karagany](https://attack.mitre.org/software/S0094) originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. (Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)(Citation: Dragos DYMALLOY )",
|
|
"meta": {
|
|
"external_id": "S0094",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0094",
|
|
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
|
|
"https://www.dragos.com/threat/dymalloy/",
|
|
"https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector"
|
|
],
|
|
"synonyms": [
|
|
"Trojan.Karagany",
|
|
"xFrost",
|
|
"Karagany"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d",
|
|
"value": "Trojan.Karagany - S0094"
|
|
},
|
|
{
|
|
"description": "[macOS.OSAMiner](https://attack.mitre.org/software/S1048) is a Monero mining trojan that was first observed in 2018; security researchers assessed [macOS.OSAMiner](https://attack.mitre.org/software/S1048) may have been circulating since at least 2015. [macOS.OSAMiner](https://attack.mitre.org/software/S1048) is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.(Citation: SentinelLabs reversing run-only applescripts 2021)(Citation: VMRay OSAMiner dynamic analysis 2021)",
|
|
"meta": {
|
|
"external_id": "S1048",
|
|
"mitre_platforms": [
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1048",
|
|
"https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/",
|
|
"https://www.vmray.com/cyber-security-blog/osaminer-uses-applescripts-evade-detection-malware-analysis-spotlight/"
|
|
],
|
|
"synonyms": [
|
|
"macOS.OSAMiner"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2f41939b-54c3-41d6-8f8b-35f1ec18ed97",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "810aa4ad-61c9-49cb-993f-daa06199421d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "2a59a237-1530-4d55-91f9-2aebf961cc37",
|
|
"value": "macOS.OSAMiner - S1048"
|
|
},
|
|
{
|
|
"description": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a macOS backdoor used by [APT32](https://attack.mitre.org/groups/G0050). First discovered in 2015, [APT32](https://attack.mitre.org/groups/G0050) has continued to make improvements using a plugin architecture to extend capabilities, specifically using `.dylib` files. [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) can also determine it's permission level and execute according to access type (`root` or `user`).(Citation: Unit42 OceanLotus 2017)(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)",
|
|
"meta": {
|
|
"external_id": "S0352",
|
|
"mitre_platforms": [
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0352",
|
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/",
|
|
"https://unit42.paloaltonetworks.com/unit42-new-improved-macos-backdoor-oceanlotus/",
|
|
"https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html"
|
|
],
|
|
"synonyms": [
|
|
"OSX_OCEANLOTUS.D",
|
|
"Backdoor.MacOS.OCEANLOTUS.F"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29",
|
|
"value": "OSX_OCEANLOTUS.D - S0352"
|
|
},
|
|
{
|
|
"description": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) is a Trojan designed to install adware on macOS that was first discovered in 2018.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)",
|
|
"meta": {
|
|
"external_id": "S0402",
|
|
"mitre_platforms": [
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0402",
|
|
"https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/",
|
|
"https://blogs.vmware.com/security/2020/02/vmware-carbon-black-tau-threat-analysis-shlayer-macos.html",
|
|
"https://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/",
|
|
"https://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/",
|
|
"https://www.sentinelone.com/blog/coming-out-of-your-shell-from-shlayer-to-zshlayer/"
|
|
],
|
|
"synonyms": [
|
|
"OSX/Shlayer",
|
|
"Zshlayer",
|
|
"Crossrider"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4a2975db-414e-4c0c-bd92-775987514b4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b22e5153-ac28-4cc6-865c-2054e36285cb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b84903f0-c7d5-435d-a69e-de47cc3578c0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f1314e75-ada8-49f4-b281-b1fb8b48f2a7",
|
|
"value": "OSX/Shlayer - S0402"
|
|
},
|
|
{
|
|
"description": "[T9000](https://attack.mitre.org/software/S0098) is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. (Citation: FireEye admin@338 March 2014) (Citation: Palo Alto T9000 Feb 2016)",
|
|
"meta": {
|
|
"external_id": "S0098",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/",
|
|
"https://attack.mitre.org/software/S0098",
|
|
"https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html"
|
|
],
|
|
"synonyms": [
|
|
"T9000"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "66575fb4-7f92-42d8-8c47-e68a26413081",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "66575fb4-7f92-42d8-8c47-e68a26413081",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3",
|
|
"value": "T9000 - S0098"
|
|
},
|
|
{
|
|
"description": "[BS2005](https://attack.mitre.org/software/S0014) is malware that was used by [Ke3chang](https://attack.mitre.org/groups/G0004) in spearphishing campaigns since at least 2011. (Citation: Mandiant Operation Ke3chang November 2014)",
|
|
"meta": {
|
|
"external_id": "S0014",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0014",
|
|
"https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs"
|
|
],
|
|
"synonyms": [
|
|
"BS2005"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25cd01bc-1346-4415-8f8d-d3656309ef6b",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "35e00ff0-704e-4e61-b9bb-9ed20a4a008f",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "25cd01bc-1346-4415-8f8d-d3656309ef6b",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "35e00ff0-704e-4e61-b9bb-9ed20a4a008f",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "67fc172a-36fa-4a35-88eb-4ba730ed52a6",
|
|
"value": "BS2005 - S0014"
|
|
},
|
|
{
|
|
"description": "[Sys10](https://attack.mitre.org/software/S0060) is a backdoor that was used throughout 2013 by [Naikon](https://attack.mitre.org/groups/G0019). (Citation: Baumgartner Naikon 2015)",
|
|
"meta": {
|
|
"external_id": "S0060",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0060",
|
|
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Sys10"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2ae57534-6aac-4025-8d93-888dab112b45",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2ae57534-6aac-4025-8d93-888dab112b45",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "7f8730af-f683-423f-9ee1-5f6875a80481",
|
|
"value": "Sys10 - S0060"
|
|
},
|
|
{
|
|
"description": "[Lurid](https://attack.mitre.org/software/S0010) is a malware family that has been used by several groups, including [PittyTiger](https://attack.mitre.org/groups/G0011), in targeted attacks as far back as 2006. (Citation: Villeneuve 2014) (Citation: Villeneuve 2011)",
|
|
"meta": {
|
|
"external_id": "S0010",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_dissecting-lurid-apt.pdf",
|
|
"https://attack.mitre.org/software/S0010",
|
|
"https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html"
|
|
],
|
|
"synonyms": [
|
|
"Lurid",
|
|
"Enfal"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2a4cacb7-80a1-417e-8b9c-54b4089f35d9",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2a4cacb7-80a1-417e-8b9c-54b4089f35d9",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad",
|
|
"value": "Lurid - S0010"
|
|
},
|
|
{
|
|
"description": "[Dipsind](https://attack.mitre.org/software/S0200) is a malware family of backdoors that appear to be used exclusively by [PLATINUM](https://attack.mitre.org/groups/G0068). (Citation: Microsoft PLATINUM April 2016)",
|
|
"meta": {
|
|
"external_id": "S0200",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0200",
|
|
"https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Dipsind"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e170995d-4f61-4f17-b60e-04f9a06ee517",
|
|
"value": "Dipsind - S0200"
|
|
},
|
|
{
|
|
"description": "[DressCode](https://attack.mitre.org/software/S0300) is an Android malware family. (Citation: TrendMicro-DressCode)",
|
|
"meta": {
|
|
"external_id": "S0300",
|
|
"refs": [
|
|
"http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/",
|
|
"https://attack.mitre.org/software/S0300"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "ff742eeb-1f90-4f5a-8b92-9d40fffd99ca",
|
|
"value": "DressCode - S0300"
|
|
},
|
|
{
|
|
"description": "[Carbanak](https://attack.mitre.org/software/S0030) is a full-featured, remote backdoor used by a group of the same name ([Carbanak](https://attack.mitre.org/groups/G0008)). It is intended for espionage, data exfiltration, and providing remote access to infected machines. (Citation: Kaspersky Carbanak) (Citation: FireEye CARBANAK June 2017)",
|
|
"meta": {
|
|
"external_id": "S0030",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0030",
|
|
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf",
|
|
"https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html",
|
|
"https://www.fox-it.com/en/news/blog/anunak-aka-carbanak-update/"
|
|
],
|
|
"synonyms": [
|
|
"Carbanak",
|
|
"Anunak"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "635cbe30-392d-4e27-978e-66774357c762",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8c246ec4-eaa5-42c0-b137-29f28cbb6832",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8c246ec4-eaa5-42c0-b137-29f28cbb6832",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4",
|
|
"value": "Carbanak - S0030"
|
|
},
|
|
{
|
|
"description": "[RIPTIDE](https://attack.mitre.org/software/S0003) is a proxy-aware backdoor used by [APT12](https://attack.mitre.org/groups/G0005). (Citation: Moran 2014)",
|
|
"meta": {
|
|
"external_id": "S0003",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0003",
|
|
"https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html"
|
|
],
|
|
"synonyms": [
|
|
"RIPTIDE"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "91583583-95c0-444e-8175-483cbebc640b",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "91583583-95c0-444e-8175-483cbebc640b",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e",
|
|
"value": "RIPTIDE - S0003"
|
|
},
|
|
{
|
|
"description": "[TinyZBot](https://attack.mitre.org/software/S0004) is a bot written in C# that was developed by [Cleaver](https://attack.mitre.org/groups/G0003). (Citation: Cylance Cleaver)",
|
|
"meta": {
|
|
"external_id": "S0004",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0004",
|
|
"https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf"
|
|
],
|
|
"synonyms": [
|
|
"TinyZBot"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2cc27a2-4146-4f08-8e80-114a99204cea",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "e2cc27a2-4146-4f08-8e80-114a99204cea",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9",
|
|
"value": "TinyZBot - S0004"
|
|
},
|
|
{
|
|
"description": "[RobbinHood](https://attack.mitre.org/software/S0400) is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.(Citation: CarbonBlack RobbinHood May 2019)(Citation: BaltimoreSun RobbinHood May 2019)",
|
|
"meta": {
|
|
"external_id": "S0400",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0400",
|
|
"https://www.baltimoresun.com/politics/bs-md-ci-it-outage-20190507-story.html",
|
|
"https://www.carbonblack.com/2019/05/17/cb-tau-threat-intelligence-notification-robbinhood-ransomware-stops-181-windows-services-before-encryption/"
|
|
],
|
|
"synonyms": [
|
|
"RobbinHood"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "0a607c53-df52-45da-a75d-0e53df4dad5f",
|
|
"value": "RobbinHood - S0400"
|
|
},
|
|
{
|
|
"description": "[CosmicDuke](https://attack.mitre.org/software/S0050) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2010 to 2015. (Citation: F-Secure The Dukes)",
|
|
"meta": {
|
|
"external_id": "S0050",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0050",
|
|
"https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf"
|
|
],
|
|
"synonyms": [
|
|
"CosmicDuke",
|
|
"TinyBaron",
|
|
"BotgenStudios",
|
|
"NemesisGemina"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee",
|
|
"value": "CosmicDuke - S0050"
|
|
},
|
|
{
|
|
"description": "[Doki](https://attack.mitre.org/software/S0600) is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. [Doki](https://attack.mitre.org/software/S0600) was used in conjunction with the [ngrok](https://attack.mitre.org/software/S0508) Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20)",
|
|
"meta": {
|
|
"external_id": "S0600",
|
|
"mitre_platforms": [
|
|
"Linux",
|
|
"Containers"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0600",
|
|
"https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/"
|
|
],
|
|
"synonyms": [
|
|
"Doki"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4a5b7ade-8bb5-4853-84ed-23f262002665",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4f1c389e-a80e-4a3e-9b0e-9be8c91df64f",
|
|
"value": "Doki - S0600"
|
|
},
|
|
{
|
|
"description": "[HTTPBrowser](https://attack.mitre.org/software/S0070) is malware that has been used by several threat groups. (Citation: ThreatStream Evasion Analysis) (Citation: Dell TG-3390) It is believed to be of Chinese origin. (Citation: ThreatConnect Anthem)",
|
|
"meta": {
|
|
"external_id": "S0070",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0070",
|
|
"https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage",
|
|
"https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/",
|
|
"https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop"
|
|
],
|
|
"synonyms": [
|
|
"HTTPBrowser",
|
|
"Token Control",
|
|
"HttpDump"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "08e2c9ef-aa62-429f-a6e5-e901ff6883cd",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "08e2c9ef-aa62-429f-a6e5-e901ff6883cd",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360",
|
|
"value": "HTTPBrowser - S0070"
|
|
},
|
|
{
|
|
"description": "[Mivast](https://attack.mitre.org/software/S0080) is a backdoor that has been used by [Deep Panda](https://attack.mitre.org/groups/G0009). It was reportedly used in the Anthem breach. (Citation: Symantec Black Vine)",
|
|
"meta": {
|
|
"external_id": "S0080",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.symantec.com/security_response/writeup.jsp?docid=2015-020623-0740-99&tabid=2",
|
|
"https://attack.mitre.org/software/S0080",
|
|
"https://web.archive.org/web/20170823094836/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Mivast"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3",
|
|
"value": "Mivast - S0080"
|
|
},
|
|
{
|
|
"description": "[Hikit](https://attack.mitre.org/software/S0009) is malware that has been used by [Axiom](https://attack.mitre.org/groups/G0001) for late-stage persistence and exfiltration after the initial compromise.(Citation: Novetta-Axiom)(Citation: FireEye Hikit Rootkit)",
|
|
"meta": {
|
|
"external_id": "S0009",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0009",
|
|
"https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf",
|
|
"https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html"
|
|
],
|
|
"synonyms": [
|
|
"Hikit"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "06953055-92ed-4936-8ffd-d9d72ab6bef6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "565275d5-fcc3-4b66-b4e7-928e4cac6b8c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "06953055-92ed-4936-8ffd-d9d72ab6bef6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "95047f03-4811-4300-922e-1ba937d53a61",
|
|
"value": "Hikit - S0009"
|
|
},
|
|
{
|
|
"description": "",
|
|
"meta": {
|
|
"external_id": "S9000",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S9000"
|
|
],
|
|
"synonyms": [
|
|
"Ngrok"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "2f7f03bb-f367-4a5a-ad9b-310a12a48906",
|
|
"type": "revoked-by"
|
|
}
|
|
],
|
|
"uuid": "911fe4c3-444d-4e92-83b8-cc761ac5fd3b",
|
|
"value": "Ngrok - S9000"
|
|
},
|
|
{
|
|
"description": "[Rover](https://attack.mitre.org/software/S0090) is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. (Citation: Palo Alto Rover)",
|
|
"meta": {
|
|
"external_id": "S0090",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/",
|
|
"https://attack.mitre.org/software/S0090"
|
|
],
|
|
"synonyms": [
|
|
"Rover"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53e94bc9-c8d2-4fb6-9c02-00841e454050",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53e94bc9-c8d2-4fb6-9c02-00841e454050",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38",
|
|
"value": "Rover - S0090"
|
|
},
|
|
{
|
|
"description": "[Taidoor](https://attack.mitre.org/software/S0011) is a remote access trojan (RAT) that has been used by Chinese government cyber actors to maintain access on victim networks.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021) [Taidoor](https://attack.mitre.org/software/S0011) has primarily been used against Taiwanese government organizations since at least 2010.(Citation: TrendMicro Taidoor)",
|
|
"meta": {
|
|
"external_id": "S0011",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf",
|
|
"https://attack.mitre.org/software/S0011",
|
|
"https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a"
|
|
],
|
|
"synonyms": [
|
|
"Taidoor"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cda7d605-23d0-4f93-a585-1276f094c04a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cda7d605-23d0-4f93-a585-1276f094c04a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b143dfa4-e944-43ff-8429-bfffc308c517",
|
|
"value": "Taidoor - S0011"
|
|
},
|
|
{
|
|
"description": "[WEBC2](https://attack.mitre.org/software/S0109) is a family of backdoor malware used by [APT1](https://attack.mitre.org/groups/G0006) as early as July 2006. [WEBC2](https://attack.mitre.org/software/S0109) backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1)",
|
|
"meta": {
|
|
"external_id": "S0109",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0109",
|
|
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip",
|
|
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
|
|
],
|
|
"synonyms": [
|
|
"WEBC2"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b5be84b7-bf2c-40d0-85a9-14c040881a98",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b5be84b7-bf2c-40d0-85a9-14c040881a98",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "46944654-fcc1-4f63-9dad-628102376586",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "1d808f62-cf63-4063-9727-ff6132514c22",
|
|
"value": "WEBC2 - S0109"
|
|
},
|
|
{
|
|
"description": "[Derusbi](https://attack.mitre.org/software/S0021) is malware used by multiple Chinese APT groups.(Citation: Novetta-Axiom)(Citation: ThreatConnect Anthem) Both Windows and Linux variants have been observed.(Citation: Fidelis Turbo)",
|
|
"meta": {
|
|
"external_id": "S0021",
|
|
"mitre_platforms": [
|
|
"Windows",
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0021",
|
|
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2016/2016.02.29.Turbo_Campaign_Derusbi/TA_Fidelis_Turbo_1602_0.pdf",
|
|
"https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf",
|
|
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html",
|
|
"https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/"
|
|
],
|
|
"synonyms": [
|
|
"Derusbi",
|
|
"PHOTO"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7ea00126-add3-407e-b69d-d4aa1b3049d5",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eff68b97-f36e-4827-ab1a-90523c16774c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eff68b97-f36e-4827-ab1a-90523c16774c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7ea00126-add3-407e-b69d-d4aa1b3049d5",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "94379dec-5c87-49db-b36e-66abc0b81344",
|
|
"value": "Derusbi - S0021"
|
|
},
|
|
{
|
|
"description": "[JPIN](https://attack.mitre.org/software/S0201) is a custom-built backdoor family used by [PLATINUM](https://attack.mitre.org/groups/G0068). Evidence suggests developers of [JPIN](https://attack.mitre.org/software/S0201) and [Dipsind](https://attack.mitre.org/software/S0200) code bases were related in some way. (Citation: Microsoft PLATINUM April 2016)",
|
|
"meta": {
|
|
"external_id": "S0201",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0201",
|
|
"https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf"
|
|
],
|
|
"synonyms": [
|
|
"JPIN"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "de6cb631-52f6-4169-a73b-7965390b0c30",
|
|
"value": "JPIN - S0201"
|
|
},
|
|
{
|
|
"description": "[PoisonIvy](https://attack.mitre.org/software/S0012) is a popular remote access tool (RAT) that has been used by many groups.(Citation: FireEye Poison Ivy)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Darkmoon Aug 2005)",
|
|
"meta": {
|
|
"external_id": "S0012",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0012",
|
|
"https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
|
|
"https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf",
|
|
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf",
|
|
"https://www.symantec.com/connect/blogs/life-mars-how-attackers-took-advantage-hope-alien-existance-new-darkmoon-campaign",
|
|
"https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99"
|
|
],
|
|
"synonyms": [
|
|
"PoisonIvy",
|
|
"Breut",
|
|
"Poison Ivy",
|
|
"Darkmoon"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "22522668-ddf6-470b-a027-9d6866679f67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4e104fef-8a2c-4679-b497-6e86d7d47db0",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4e104fef-8a2c-4679-b497-6e86d7d47db0",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b42378e0-f147-496f-992a-26a49705395b",
|
|
"value": "PoisonIvy - S0012"
|
|
},
|
|
{
|
|
"description": "[Kevin](https://attack.mitre.org/software/S1020) is a backdoor implant written in C++ that has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least June 2020, including in operations against organizations in Tunisia.(Citation: Kaspersky Lyceum October 2021)",
|
|
"meta": {
|
|
"external_id": "S1020",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1020",
|
|
"https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Kevin"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e7863f5d-cb6a-4f81-8804-0a635eec160a",
|
|
"value": "Kevin - S1020"
|
|
},
|
|
{
|
|
"description": "[Nerex](https://attack.mitre.org/software/S0210) is a Trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Nerex May 2012)",
|
|
"meta": {
|
|
"external_id": "S0210",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0210",
|
|
"https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
|
|
"https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-3445-99"
|
|
],
|
|
"synonyms": [
|
|
"Nerex"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c251e4a5-9a2e-4166-8e42-442af75c3b9a",
|
|
"value": "Nerex - S0210"
|
|
},
|
|
{
|
|
"description": "[BACKSPACE](https://attack.mitre.org/software/S0031) is a backdoor used by [APT30](https://attack.mitre.org/groups/G0013) that dates back to at least 2005. (Citation: FireEye APT30)",
|
|
"meta": {
|
|
"external_id": "S0031",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0031",
|
|
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
|
|
],
|
|
"synonyms": [
|
|
"BACKSPACE",
|
|
"Lecna"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cd6c5f27-cf7e-4529-ae9c-ab5b85102bde",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cd6c5f27-cf7e-4529-ae9c-ab5b85102bde",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "fb261c56-b80e-43a9-8351-c84081e7213d",
|
|
"value": "BACKSPACE - S0031"
|
|
},
|
|
{
|
|
"description": "[Dendroid](https://attack.mitre.org/software/S0301) is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.(Citation: Lookout-Dendroid)",
|
|
"meta": {
|
|
"external_id": "S0301",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0301",
|
|
"https://blog.lookout.com/blog/2014/03/06/dendroid/"
|
|
],
|
|
"synonyms": [
|
|
"Dendroid"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ea3a8c25-4adb-4538-bf11-55259bdba15f",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "ea3a8c25-4adb-4538-bf11-55259bdba15f",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "317a2c10-d489-431e-b6b2-f0251fddc88e",
|
|
"value": "Dendroid - S0301"
|
|
},
|
|
{
|
|
"description": "[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation: Dell TG-3390)",
|
|
"meta": {
|
|
"external_id": "S0013",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf",
|
|
"http://labs.lastline.com/an-analysis-of-plugx",
|
|
"http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/",
|
|
"https://attack.mitre.org/software/S0013",
|
|
"https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf",
|
|
"https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html",
|
|
"https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage"
|
|
],
|
|
"synonyms": [
|
|
"PlugX",
|
|
"Thoper",
|
|
"TVT",
|
|
"DestroyRAT",
|
|
"Sogu",
|
|
"Kaba",
|
|
"Korplug"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "036bd099-fe80-46c2-9c4c-e5c6df8dcdee",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "663f8ef9-4c50-499a-b765-f377d23c1070",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4b159ea-97e5-483b-854b-c48a78d562aa",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "663f8ef9-4c50-499a-b765-f377d23c1070",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "f4b159ea-97e5-483b-854b-c48a78d562aa",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "036bd099-fe80-46c2-9c4c-e5c6df8dcdee",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd",
|
|
"value": "PlugX - S0013"
|
|
},
|
|
{
|
|
"description": "[Squirrelwaffle](https://attack.mitre.org/software/S1030) is a loader that was first seen in September 2021. It has been used in spam email campaigns to deliver additional malware such as [Cobalt Strike](https://attack.mitre.org/software/S0154) and the [QakBot](https://attack.mitre.org/software/S0650) banking trojan.(Citation: ZScaler Squirrelwaffle Sep 2021)(Citation: Netskope Squirrelwaffle Oct 2021)",
|
|
"meta": {
|
|
"external_id": "S1030",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1030",
|
|
"https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot",
|
|
"https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike"
|
|
],
|
|
"synonyms": [
|
|
"Squirrelwaffle"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "3c18ad16-9eaf-4649-984e-68551bff0d47",
|
|
"value": "Squirrelwaffle - S1030"
|
|
},
|
|
{
|
|
"description": "[Fysbis](https://attack.mitre.org/software/S0410) is a Linux-based backdoor used by [APT28](https://attack.mitre.org/groups/G0007) that dates back to at least 2014.(Citation: Fysbis Palo Alto Analysis)",
|
|
"meta": {
|
|
"external_id": "S0410",
|
|
"mitre_platforms": [
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0410",
|
|
"https://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/"
|
|
],
|
|
"synonyms": [
|
|
"Fysbis"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0232cb0-ded5-4c2e-9dc7-2893142a5c11",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "50d6688b-0985-4f3d-8cbe-0c796b30703b",
|
|
"value": "Fysbis - S0410"
|
|
},
|
|
{
|
|
"description": "[Shamoon](https://attack.mitre.org/software/S0140) is wiper malware that was first used by an Iranian group known as the \"Cutting Sword of Justice\" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. [Shamoon](https://attack.mitre.org/software/S0140) has also been seen leveraging [RawDisk](https://attack.mitre.org/software/S0364) and Filerase to carry out data wiping tasks. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)",
|
|
"meta": {
|
|
"external_id": "S0140",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/",
|
|
"https://attack.mitre.org/software/S0140",
|
|
"https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/",
|
|
"https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html",
|
|
"https://www.symantec.com/connect/blogs/shamoon-attacks"
|
|
],
|
|
"synonyms": [
|
|
"Shamoon",
|
|
"Disttrack"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "776b1849-8d5b-4762-8ba1-cbbaddb4ce3a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "776b1849-8d5b-4762-8ba1-cbbaddb4ce3a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3",
|
|
"value": "Shamoon - S0140"
|
|
},
|
|
{
|
|
"description": "[Wiper](https://attack.mitre.org/software/S0041) is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies. (Citation: Dell Wiper)",
|
|
"meta": {
|
|
"external_id": "S0041",
|
|
"refs": [
|
|
"http://www.secureworks.com/cyber-threat-intelligence/threats/wiper-malware-analysis-attacking-korean-financial-sector/",
|
|
"https://attack.mitre.org/software/S0041"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a19c49aa-36fe-4c05-b817-23e1c7a7d085",
|
|
"value": "Wiper - S0041"
|
|
},
|
|
{
|
|
"description": "[MiniDuke](https://attack.mitre.org/software/S0051) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2010 to 2015. The [MiniDuke](https://attack.mitre.org/software/S0051) toolset consists of multiple downloader and backdoor components. The loader has been used with other [MiniDuke](https://attack.mitre.org/software/S0051) components as well as in conjunction with [CosmicDuke](https://attack.mitre.org/software/S0050) and [PinchDuke](https://attack.mitre.org/software/S0048). (Citation: F-Secure The Dukes)",
|
|
"meta": {
|
|
"external_id": "S0051",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0051",
|
|
"https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf"
|
|
],
|
|
"synonyms": [
|
|
"MiniDuke"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c",
|
|
"value": "MiniDuke - S0051"
|
|
},
|
|
{
|
|
"description": "[POSHSPY](https://attack.mitre.org/software/S0150) is a backdoor that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. (Citation: FireEye POSHSPY April 2017)",
|
|
"meta": {
|
|
"external_id": "S0150",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0150",
|
|
"https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html"
|
|
],
|
|
"synonyms": [
|
|
"POSHSPY"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4df1b257-c242-46b0-b120-591430066b6f",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6e45f758-7bd9-44b8-a21c-7309614ae176",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "4df1b257-c242-46b0-b120-591430066b6f",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808",
|
|
"value": "POSHSPY - S0150"
|
|
},
|
|
{
|
|
"description": "[Ixeshe](https://attack.mitre.org/software/S0015) is a malware family that has been used since at least 2009 against targets in East Asia. (Citation: Moran 2013)",
|
|
"meta": {
|
|
"external_id": "S0015",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0015",
|
|
"https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html"
|
|
],
|
|
"synonyms": [
|
|
"Ixeshe"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06",
|
|
"value": "Ixeshe - S0015"
|
|
},
|
|
{
|
|
"description": "[PipeMon](https://attack.mitre.org/software/S0501) is a multi-stage modular backdoor used by [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: ESET PipeMon May 2020)",
|
|
"meta": {
|
|
"external_id": "S0501",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0501",
|
|
"https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"
|
|
],
|
|
"synonyms": [
|
|
"PipeMon"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2de47683-f398-448f-b947-9abcc3e32fad",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8393dac0-0583-456a-9372-fd81691bca20",
|
|
"value": "PipeMon - S0501"
|
|
},
|
|
{
|
|
"description": "[HDoor](https://attack.mitre.org/software/S0061) is malware that has been customized and used by the [Naikon](https://attack.mitre.org/groups/G0019) group. (Citation: Baumgartner Naikon 2015)",
|
|
"meta": {
|
|
"external_id": "S0061",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0061",
|
|
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf"
|
|
],
|
|
"synonyms": [
|
|
"HDoor",
|
|
"Custom HDoor"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b",
|
|
"value": "HDoor - S0061"
|
|
},
|
|
{
|
|
"description": "[Hildegard](https://attack.mitre.org/software/S0601) is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind [Hildegard](https://attack.mitre.org/software/S0601). (Citation: Unit 42 Hildegard Malware)",
|
|
"meta": {
|
|
"external_id": "S0601",
|
|
"mitre_platforms": [
|
|
"Linux",
|
|
"Containers",
|
|
"IaaS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0601",
|
|
"https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/"
|
|
],
|
|
"synonyms": [
|
|
"Hildegard"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0470e792-32f8-46b0-a351-652bc35e9336",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "19bf235b-8620-4997-b5b4-94e0659ed7c3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4a5b7ade-8bb5-4853-84ed-23f262002665",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "635cbe30-392d-4e27-978e-66774357c762",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7b50a1d3-4ca7-45d1-989d-a6503f04bfe1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "40a1b8ec-7295-416c-a6b1-68181d86f120",
|
|
"value": "Hildegard - S0601"
|
|
},
|
|
{
|
|
"description": "[Mafalda](https://attack.mitre.org/software/S1060) is a flexible interactive implant that has been used by [Metador](https://attack.mitre.org/groups/G1013). Security researchers assess the [Mafalda](https://attack.mitre.org/software/S1060) name may be inspired by an Argentinian cartoon character that has been popular as a means of political commentary since the 1960s. (Citation: SentinelLabs Metador Sept 2022)",
|
|
"meta": {
|
|
"external_id": "S1060",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://assets.sentinelone.com/sentinellabs22/metador#page=1",
|
|
"https://attack.mitre.org/software/S1060"
|
|
],
|
|
"synonyms": [
|
|
"Mafalda"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "3be1fb7a-0f7e-415e-8e3a-74a80d596e68",
|
|
"value": "Mafalda - S1060"
|
|
},
|
|
{
|
|
"description": "[SideTwist](https://attack.mitre.org/software/S0610) is a C-based backdoor that has been used by [OilRig](https://attack.mitre.org/groups/G0049) since at least 2021.(Citation: Check Point APT34 April 2021)",
|
|
"meta": {
|
|
"external_id": "S0610",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0610",
|
|
"https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/"
|
|
],
|
|
"synonyms": [
|
|
"SideTwist"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "df4cd566-ff2f-4d08-976d-8c86e95782de",
|
|
"value": "SideTwist - S0610"
|
|
},
|
|
{
|
|
"description": "[BISCUIT](https://attack.mitre.org/software/S0017) is a backdoor that has been used by [APT1](https://attack.mitre.org/groups/G0006) since as early as 2007. (Citation: Mandiant APT1)",
|
|
"meta": {
|
|
"external_id": "S0017",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0017",
|
|
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip",
|
|
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
|
|
],
|
|
"synonyms": [
|
|
"BISCUIT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1e05a12-ca50-41ab-a963-d7df5bcb141d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1e05a12-ca50-41ab-a963-d7df5bcb141d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda",
|
|
"value": "BISCUIT - S0017"
|
|
},
|
|
{
|
|
"description": "[Helminth](https://attack.mitre.org/software/S0170) is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable. (Citation: Palo Alto OilRig May 2016)",
|
|
"meta": {
|
|
"external_id": "S0170",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/",
|
|
"https://attack.mitre.org/software/S0170"
|
|
],
|
|
"synonyms": [
|
|
"Helminth"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "19d89300-ff97-4281-ac42-76542e744092",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "19d89300-ff97-4281-ac42-76542e744092",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e",
|
|
"value": "Helminth - S0170"
|
|
},
|
|
{
|
|
"description": "[hcdLoader](https://attack.mitre.org/software/S0071) is a remote access tool (RAT) that has been used by [APT18](https://attack.mitre.org/groups/G0026). (Citation: Dell Lateral Movement)",
|
|
"meta": {
|
|
"external_id": "S0071",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/",
|
|
"https://attack.mitre.org/software/S0071"
|
|
],
|
|
"synonyms": [
|
|
"hcdLoader"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "12bb8f4f-af29-49a0-8c2c-d28468f28fd8",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "12bb8f4f-af29-49a0-8c2c-d28468f28fd8",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e",
|
|
"value": "hcdLoader - S0071"
|
|
},
|
|
{
|
|
"description": "[Elise](https://attack.mitre.org/software/S0081) is a custom backdoor Trojan that appears to be used exclusively by [Lotus Blossom](https://attack.mitre.org/groups/G0030). It is part of a larger group of\ntools referred to as LStudio, ST Group, and APT0LSTU. (Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018)",
|
|
"meta": {
|
|
"external_id": "S0081",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0081",
|
|
"https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf",
|
|
"https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html"
|
|
],
|
|
"synonyms": [
|
|
"Elise",
|
|
"BKDR_ESILE",
|
|
"Page"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3477a25d-e04b-475e-8330-39f66c10cc01",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d70fd29d-590e-4ed5-b72f-6ce0142019c6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d70fd29d-590e-4ed5-b72f-6ce0142019c6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "3477a25d-e04b-475e-8330-39f66c10cc01",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913",
|
|
"value": "Elise - S0081"
|
|
},
|
|
{
|
|
"description": "[Fakecalls](https://attack.mitre.org/software/S1080) is an Android trojan, first detected in January 2021, that masquerades as South Korean banking apps. It has capabilities to intercept calls to banking institutions and even maintain realistic dialogues with the victim using pre-recorded audio snippets.(Citation: kaspersky_fakecalls_0422) ",
|
|
"meta": {
|
|
"external_id": "S1080",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1080",
|
|
"https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"
|
|
],
|
|
"synonyms": [
|
|
"Fakecalls"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "429e1526-6293-495b-8808-af7f9a66c4be",
|
|
"value": "Fakecalls - S1080"
|
|
},
|
|
{
|
|
"description": "[Sykipot](https://attack.mitre.org/software/S0018) is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of [Sykipot](https://attack.mitre.org/software/S0018) hijacks smart cards on victims. (Citation: Alienvault Sykipot DOD Smart Cards) The group using this malware has also been referred to as Sykipot. (Citation: Blasco 2013)",
|
|
"meta": {
|
|
"external_id": "S0018",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments",
|
|
"https://attack.mitre.org/software/S0018",
|
|
"https://www.alienvault.com/open-threat-exchange/blog/sykipot-variant-hijacks-dod-and-windows-smart-cards"
|
|
],
|
|
"synonyms": [
|
|
"Sykipot"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9",
|
|
"value": "Sykipot - S0018"
|
|
},
|
|
{
|
|
"description": "[Volgmer](https://attack.mitre.org/software/S0180) is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. (Citation: US-CERT Volgmer Nov 2017)",
|
|
"meta": {
|
|
"external_id": "S0180",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0180",
|
|
"https://web.archive.org/web/20181126143456/https://www.symantec.com/security-center/writeup/2014-081811-3237-99?tabid=2",
|
|
"https://www.us-cert.gov/ncas/alerts/TA17-318B",
|
|
"https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF"
|
|
],
|
|
"synonyms": [
|
|
"Volgmer"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a52e73b-d7e9-45ae-9bda-46568f753931",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a52e73b-d7e9-45ae-9bda-46568f753931",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08",
|
|
"value": "Volgmer - S0180"
|
|
},
|
|
{
|
|
"description": "[NightClub](https://attack.mitre.org/software/S1090) is a modular implant written in C++ that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2014.(Citation: MoustachedBouncer ESET August 2023)",
|
|
"meta": {
|
|
"external_id": "S1090",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1090",
|
|
"https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/"
|
|
],
|
|
"synonyms": [
|
|
"NightClub"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "91c57ed3-7c32-4c68-b388-7db00cb8dac6",
|
|
"value": "NightClub - S1090"
|
|
},
|
|
{
|
|
"description": "[Epic](https://attack.mitre.org/software/S0091) is a backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010). (Citation: Kaspersky Turla)",
|
|
"meta": {
|
|
"external_id": "S0091",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0091",
|
|
"https://securelist.com/the-epic-turla-operation/65545/"
|
|
],
|
|
"synonyms": [
|
|
"Epic",
|
|
"Tavdig",
|
|
"Wipbot",
|
|
"WorldCupSec",
|
|
"TadjMakhal"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0042a9f5-f053-4769-b3ef-9ad018dfa298",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "36c0faf0-428e-4e7f-93c5-824bb0495ac9",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6b6cf608-cc2c-40d7-8500-afca3e35e7e4",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "36c0faf0-428e-4e7f-93c5-824bb0495ac9",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "6b6cf608-cc2c-40d7-8500-afca3e35e7e4",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "6b62e336-176f-417b-856a-8552dd8c44e1",
|
|
"value": "Epic - S0091"
|
|
},
|
|
{
|
|
"description": "[Regin](https://attack.mitre.org/software/S0019) is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some [Regin](https://attack.mitre.org/software/S0019) timestamps date back to 2003. (Citation: Kaspersky Regin)",
|
|
"meta": {
|
|
"external_id": "S0019",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0019",
|
|
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Regin"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0cf21558-1217-4d36-9536-2919cfd44825",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4cbe9373-6b5e-42d0-9750-e0b7fc0d58bb",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfebc3b7-d19d-450b-81c7-6dafe4184c04",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0cf21558-1217-4d36-9536-2919cfd44825",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "4cbe9373-6b5e-42d0-9750-e0b7fc0d58bb",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0",
|
|
"value": "Regin - S0019"
|
|
},
|
|
{
|
|
"description": "[Chaos](https://attack.mitre.org/software/S0220) is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets. (Citation: Chaos Stolen Backdoor)",
|
|
"meta": {
|
|
"external_id": "S0220",
|
|
"mitre_platforms": [
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"http://gosecure.net/2018/02/14/chaos-stolen-backdoor-rising/",
|
|
"https://attack.mitre.org/software/S0220"
|
|
],
|
|
"synonyms": [
|
|
"Chaos"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5bcd5511-6756-4824-a692-e8bb109364af",
|
|
"value": "Chaos - S0220"
|
|
},
|
|
{
|
|
"description": "[Uroburos](https://attack.mitre.org/software/S0022) is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the [Turla](https://attack.mitre.org/groups/G0010) toolset to collect intelligence on sensitive targets worldwide. [Uroburos](https://attack.mitre.org/software/S0022) has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. [Uroburos](https://attack.mitre.org/software/S0022) is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. [Uroburos](https://attack.mitre.org/software/S0022) has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)(Citation: Kaspersky Turla)",
|
|
"meta": {
|
|
"external_id": "S0022",
|
|
"mitre_platforms": [
|
|
"Linux",
|
|
"Windows",
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0022",
|
|
"https://securelist.com/the-epic-turla-operation/65545/",
|
|
"https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Uroburos",
|
|
"Snake"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "22332d52-c0c2-443c-9ffb-f08c0d23722c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfebc3b7-d19d-450b-81c7-6dafe4184c04",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "22332d52-c0c2-443c-9ffb-f08c0d23722c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4",
|
|
"value": "Uroburos - S0022"
|
|
},
|
|
{
|
|
"description": "[adbupd](https://attack.mitre.org/software/S0202) is a backdoor used by [PLATINUM](https://attack.mitre.org/groups/G0068) that is similar to [Dipsind](https://attack.mitre.org/software/S0200). (Citation: Microsoft PLATINUM April 2016)",
|
|
"meta": {
|
|
"external_id": "S0202",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0202",
|
|
"https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf"
|
|
],
|
|
"synonyms": [
|
|
"adbupd"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "0f1ad2ef-41d4-4b7a-9304-ddae68ea3005",
|
|
"value": "adbupd - S0202"
|
|
},
|
|
{
|
|
"description": "[CHOPSTICK](https://attack.mitre.org/software/S0023) is a malware family of modular backdoors used by [APT28](https://attack.mitre.org/groups/G0007). It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. (Citation: FireEye APT28) (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) (Citation: DOJ GRU Indictment Jul 2018) It is tracked separately from the [X-Agent for Android](https://attack.mitre.org/software/S0314).",
|
|
"meta": {
|
|
"external_id": "S0023",
|
|
"mitre_platforms": [
|
|
"Windows",
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf",
|
|
"https://attack.mitre.org/software/S0023",
|
|
"https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
|
|
"https://www.justice.gov/file/1080281/download",
|
|
"https://www.symantec.com/blogs/election-security/apt28-espionage-military-government",
|
|
"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
|
|
],
|
|
"synonyms": [
|
|
"CHOPSTICK",
|
|
"Backdoor.SofacyX",
|
|
"SPLM",
|
|
"Xagent",
|
|
"X-Agent",
|
|
"webhp"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a32ceea-fa66-47ab-8bde-150dbd6d2e40",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3e2c99f9-66cd-48be-86e9-d7c1c164d87c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "56660521-6db4-4e5a-a927-464f22954b7c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "0a32ceea-fa66-47ab-8bde-150dbd6d2e40",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "3e2c99f9-66cd-48be-86e9-d7c1c164d87c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472",
|
|
"value": "CHOPSTICK - S0023"
|
|
},
|
|
{
|
|
"description": "[DroidJack](https://attack.mitre.org/software/S0320) is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. (Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)",
|
|
"meta": {
|
|
"external_id": "S0320",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0320",
|
|
"https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app",
|
|
"https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat"
|
|
],
|
|
"synonyms": [
|
|
"DroidJack"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
|
|
"value": "DroidJack - S0320"
|
|
},
|
|
{
|
|
"description": "[Hydraq](https://attack.mitre.org/software/S0203) is a data-theft trojan first used by [Elderwood](https://attack.mitre.org/groups/G0066) in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including [APT17](https://attack.mitre.org/groups/G0025).(Citation: MicroFocus 9002 Aug 2016)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: ASERT Seven Pointed Dagger Aug 2015)(Citation: FireEye DeputyDog 9002 November 2013)(Citation: ProofPoint GoT 9002 Aug 2017)(Citation: FireEye Sunshop Campaign May 2013)(Citation: PaloAlto 3102 Sept 2015)",
|
|
"meta": {
|
|
"external_id": "S0203",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0203",
|
|
"https://community.softwaregrp.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/228686#.WosBVKjwZPZ",
|
|
"https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/",
|
|
"https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
|
|
"https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf",
|
|
"https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf",
|
|
"https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html",
|
|
"https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html",
|
|
"https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures",
|
|
"https://www.symantec.com/connect/blogs/trojanhydraq-incident"
|
|
],
|
|
"synonyms": [
|
|
"Hydraq",
|
|
"Roarur",
|
|
"MdmBot",
|
|
"HomeUnix",
|
|
"Homux",
|
|
"HidraQ",
|
|
"HydraQ",
|
|
"McRat",
|
|
"Aurora",
|
|
"9002 RAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2f899e3e-1a46-43ea-8e68-140603ce943d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "70c31066-237a-11e8-8eff-37ef1ad0c703",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bab647d7-c9d6-4697-8fd2-1295c7429e1f",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "70c31066-237a-11e8-8eff-37ef1ad0c703",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "bab647d7-c9d6-4697-8fd2-1295c7429e1f",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "2f899e3e-1a46-43ea-8e68-140603ce943d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "73a4793a-ce55-4159-b2a6-208ef29b326f",
|
|
"value": "Hydraq - S0203"
|
|
},
|
|
{
|
|
"description": "[ZeroT](https://attack.mitre.org/software/S0230) is a Trojan used by [TA459](https://attack.mitre.org/groups/G0062), often in conjunction with [PlugX](https://attack.mitre.org/software/S0013). (Citation: Proofpoint TA459 April 2017) (Citation: Proofpoint ZeroT Feb 2017)",
|
|
"meta": {
|
|
"external_id": "S0230",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0230",
|
|
"https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx",
|
|
"https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts"
|
|
],
|
|
"synonyms": [
|
|
"ZeroT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9b0aa458-dfa9-48af-87ea-c36d1501376c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ff00fa92-b32e-46b6-88ca-98357ebe3f54",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "ff00fa92-b32e-46b6-88ca-98357ebe3f54",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "9b0aa458-dfa9-48af-87ea-c36d1501376c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4ab44516-ad75-4e43-a280-705dc0420e2f",
|
|
"value": "ZeroT - S0230"
|
|
},
|
|
{
|
|
"description": "[Twitoor](https://attack.mitre.org/software/S0302) is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)",
|
|
"meta": {
|
|
"external_id": "S0302",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/",
|
|
"https://attack.mitre.org/software/S0302"
|
|
],
|
|
"synonyms": [
|
|
"Twitoor"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "d916f176-a1ca-4a78-9fdd-4058bc28162e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ed2c05a1-4f81-4d97-9e1b-aff01c34ae84",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "41e3fd01-7b83-471f-835d-d2b1dc9a770c",
|
|
"value": "Twitoor - S0302"
|
|
},
|
|
{
|
|
"description": "[Get2](https://attack.mitre.org/software/S0460) is a downloader written in C++ that has been used by [TA505](https://attack.mitre.org/groups/G0092) to deliver [FlawedGrace](https://attack.mitre.org/software/S0383), [FlawedAmmyy](https://attack.mitre.org/software/S0381), Snatch and [SDBbot](https://attack.mitre.org/software/S0461).(Citation: Proofpoint TA505 October 2019)",
|
|
"meta": {
|
|
"external_id": "S0460",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0460",
|
|
"https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader"
|
|
],
|
|
"synonyms": [
|
|
"Get2"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "099ecff2-41b8-436d-843c-038a9aa9aa69",
|
|
"value": "Get2 - S0460"
|
|
},
|
|
{
|
|
"description": "[LOWBALL](https://attack.mitre.org/software/S0042) is malware used by [admin@338](https://attack.mitre.org/groups/G0018). It was used in August 2015 in email messages targeting Hong Kong-based media organizations. (Citation: FireEye admin@338)",
|
|
"meta": {
|
|
"external_id": "S0042",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0042",
|
|
"https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html"
|
|
],
|
|
"synonyms": [
|
|
"LOWBALL"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b",
|
|
"value": "LOWBALL - S0042"
|
|
},
|
|
{
|
|
"description": "[ROKRAT](https://attack.mitre.org/software/S0240) is a cloud-based remote access tool (RAT) used by [APT37](https://attack.mitre.org/groups/G0067) to target victims in South Korea. [APT37](https://attack.mitre.org/groups/G0067) has used ROKRAT during several campaigns from 2016 through 2021.(Citation: Talos ROKRAT)(Citation: Talos Group123)(Citation: Volexity InkySquid RokRAT August 2021)",
|
|
"meta": {
|
|
"external_id": "S0240",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0240",
|
|
"https://blog.talosintelligence.com/2017/04/introducing-rokrat.html",
|
|
"https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html",
|
|
"https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html",
|
|
"https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/"
|
|
],
|
|
"synonyms": [
|
|
"ROKRAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f244b8dd-af6c-4391-a497-fc03627ce995",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f",
|
|
"value": "ROKRAT - S0240"
|
|
},
|
|
{
|
|
"description": "[Briba](https://attack.mitre.org/software/S0204) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor and download files on to compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Briba May 2012)",
|
|
"meta": {
|
|
"external_id": "S0204",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0204",
|
|
"https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
|
|
"https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-2843-99"
|
|
],
|
|
"synonyms": [
|
|
"Briba"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "79499993-a8d6-45eb-b343-bf58dea5bdde",
|
|
"value": "Briba - S0204"
|
|
},
|
|
{
|
|
"description": "[Dvmap](https://attack.mitre.org/software/S0420) is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.(Citation: SecureList DVMap June 2017)",
|
|
"meta": {
|
|
"external_id": "S0420",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0420",
|
|
"https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/"
|
|
],
|
|
"synonyms": [
|
|
"Dvmap"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6e17ca2-08b5-4379-9786-89bd05241831",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "22b596a6-d288-4409-8520-5f2846f85514",
|
|
"value": "Dvmap - S0420"
|
|
},
|
|
{
|
|
"description": "[Dyre](https://attack.mitre.org/software/S0024) is a banking Trojan that has been used for financial gain. \n (Citation: Symantec Dyre June 2015)(Citation: Malwarebytes Dyreza November 2015)",
|
|
"meta": {
|
|
"external_id": "S0024",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dyre-emerging-threat.pdf",
|
|
"https://attack.mitre.org/software/S0024",
|
|
"https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/",
|
|
"https://nakedsecurity.sophos.com/2015/04/20/notes-from-sophoslabs-dyreza-the-malware-that-discriminates-against-old-computers/"
|
|
],
|
|
"synonyms": [
|
|
"Dyre",
|
|
"Dyzap",
|
|
"Dyreza"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "15e969e6-f031-4441-a49b-f401332e4b00",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1ecbcd20-f238-47ef-874b-08ef93266395",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "15e969e6-f031-4441-a49b-f401332e4b00",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "1ecbcd20-f238-47ef-874b-08ef93266395",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe",
|
|
"value": "Dyre - S0024"
|
|
},
|
|
{
|
|
"description": "[CALENDAR](https://attack.mitre.org/software/S0025) is malware used by [APT1](https://attack.mitre.org/groups/G0006) that mimics legitimate Gmail Calendar traffic. (Citation: Mandiant APT1)",
|
|
"meta": {
|
|
"external_id": "S0025",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0025",
|
|
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
|
|
],
|
|
"synonyms": [
|
|
"CALENDAR"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2c18713-0a95-4092-a0e9-76358512daad",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "e2c18713-0a95-4092-a0e9-76358512daad",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283",
|
|
"value": "CALENDAR - S0025"
|
|
},
|
|
{
|
|
"description": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.(Citation: US-CERT BLINDINGCAN Aug 2020)(Citation: NHS UK BLINDINGCAN Aug 2020)",
|
|
"meta": {
|
|
"external_id": "S0520",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0520",
|
|
"https://digital.nhs.uk/cyber-alerts/2020/cc-3603",
|
|
"https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a"
|
|
],
|
|
"synonyms": [
|
|
"BLINDINGCAN"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "01dbc71d-0ee8-420d-abb4-3dfb6a4bf725",
|
|
"value": "BLINDINGCAN - S0520"
|
|
},
|
|
{
|
|
"description": "[OnionDuke](https://attack.mitre.org/software/S0052) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2013 to 2015. (Citation: F-Secure The Dukes)",
|
|
"meta": {
|
|
"external_id": "S0052",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0052",
|
|
"https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf"
|
|
],
|
|
"synonyms": [
|
|
"OnionDuke"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9c99724c-a483-4d60-ad9d-7f004e42e8e8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "abd10caa-7d4c-4c22-8dae-8d32f13232d7",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "c675646d-e204-4aa8-978d-e3d6d65885c4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "abd10caa-7d4c-4c22-8dae-8d32f13232d7",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b136d088-a829-432c-ac26-5529c26d4c7e",
|
|
"value": "OnionDuke - S0052"
|
|
},
|
|
{
|
|
"description": "[Drovorub](https://attack.mitre.org/software/S0502) is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by [APT28](https://attack.mitre.org/groups/G0007).(Citation: NSA/FBI Drovorub August 2020)",
|
|
"meta": {
|
|
"external_id": "S0502",
|
|
"mitre_platforms": [
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0502",
|
|
"https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF"
|
|
],
|
|
"synonyms": [
|
|
"Drovorub"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "99164b38-1775-40bc-b77b-a2373b14540a",
|
|
"value": "Drovorub - S0502"
|
|
},
|
|
{
|
|
"description": "[Naid](https://attack.mitre.org/software/S0205) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Naid June 2012)",
|
|
"meta": {
|
|
"external_id": "S0205",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0205",
|
|
"https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
|
|
"https://www.symantec.com/security_response/writeup.jsp?docid=2012-061518-4639-99"
|
|
],
|
|
"synonyms": [
|
|
"Naid"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "170db76b-93f7-4fd1-97fc-55937c079b66",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "170db76b-93f7-4fd1-97fc-55937c079b66",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "48523614-309e-43bf-a2b8-705c2b45d7b2",
|
|
"value": "Naid - S0205"
|
|
},
|
|
{
|
|
"description": "[GLOOXMAIL](https://attack.mitre.org/software/S0026) is malware used by [APT1](https://attack.mitre.org/groups/G0006) that mimics legitimate Jabber/XMPP traffic. (Citation: Mandiant APT1)",
|
|
"meta": {
|
|
"external_id": "S0026",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0026",
|
|
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
|
|
],
|
|
"synonyms": [
|
|
"GLOOXMAIL",
|
|
"Trojan.GTALK"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "a379f09b-5cec-4bdb-9735-125cef2de073",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a379f09b-5cec-4bdb-9735-125cef2de073",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2",
|
|
"value": "GLOOXMAIL - S0026"
|
|
},
|
|
{
|
|
"description": "[Circles](https://attack.mitre.org/software/S0602) reportedly takes advantage of Signaling System 7 (SS7) weaknesses, the protocol suite used to route phone calls, to both track the location of mobile devices and intercept voice calls and SMS messages. It can be connected to a telecommunications company\u2019s infrastructure or purchased as a cloud service. Circles has reportedly been linked to the NSO Group.(Citation: CitizenLab Circles)",
|
|
"meta": {
|
|
"external_id": "S0602",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0602",
|
|
"https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/"
|
|
],
|
|
"synonyms": [
|
|
"Circles"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0f4fb01b-d57a-4375-b7a2-342c9d3248f7",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c6a07c89-a24c-4c7e-9e3e-6153cc595e24",
|
|
"value": "Circles - S0602"
|
|
},
|
|
{
|
|
"description": "[DustySky](https://attack.mitre.org/software/S0062) is multi-stage malware written in .NET that has been used by [Molerats](https://attack.mitre.org/groups/G0021) since May 2015. (Citation: DustySky) (Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)",
|
|
"meta": {
|
|
"external_id": "S0062",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf",
|
|
"https://attack.mitre.org/software/S0062",
|
|
"https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/",
|
|
"https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf"
|
|
],
|
|
"synonyms": [
|
|
"DustySky",
|
|
"NeD Worm"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eedcf785-d011-4e17-96c4-6ff39138ada0",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eedcf785-d011-4e17-96c4-6ff39138ada0",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54",
|
|
"value": "DustySky - S0062"
|
|
},
|
|
{
|
|
"description": "[InvisiMole](https://attack.mitre.org/software/S0260) is a modular spyware program that has been used by the InvisiMole Group since at least 2013. [InvisiMole](https://attack.mitre.org/software/S0260) has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. [Gamaredon Group](https://attack.mitre.org/groups/G0047) infrastructure has been used to download and execute [InvisiMole](https://attack.mitre.org/software/S0260) against a small number of victims.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)",
|
|
"meta": {
|
|
"external_id": "S0260",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0260",
|
|
"https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/",
|
|
"https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
|
|
],
|
|
"synonyms": [
|
|
"InvisiMole"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eb2cb5cb-ae87-4de0-8c35-da2a17aafb99",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f244b8dd-af6c-4391-a497-fc03627ce995",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "47afe41c-4c08-485e-b062-c3bd209a1cce",
|
|
"value": "InvisiMole - S0260"
|
|
},
|
|
{
|
|
"description": "[Wiarp](https://attack.mitre.org/software/S0206) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Wiarp May 2012)",
|
|
"meta": {
|
|
"external_id": "S0206",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0206",
|
|
"https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
|
|
"https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-1005-99"
|
|
],
|
|
"synonyms": [
|
|
"Wiarp"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "039814a0-88de-46c5-a4fb-b293db21880a",
|
|
"value": "Wiarp - S0206"
|
|
},
|
|
{
|
|
"description": "[OwaAuth](https://attack.mitre.org/software/S0072) is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by [Threat Group-3390](https://attack.mitre.org/groups/G0027). (Citation: Dell TG-3390)",
|
|
"meta": {
|
|
"external_id": "S0072",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0072",
|
|
"https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage"
|
|
],
|
|
"synonyms": [
|
|
"OwaAuth"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5",
|
|
"value": "OwaAuth - S0072"
|
|
},
|
|
{
|
|
"description": "[RogueRobin](https://attack.mitre.org/software/S0270) is a payload used by [DarkHydrus](https://attack.mitre.org/groups/G0079) that has been developed in PowerShell and C#. (Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)",
|
|
"meta": {
|
|
"external_id": "S0270",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0270",
|
|
"https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/",
|
|
"https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/"
|
|
],
|
|
"synonyms": [
|
|
"RogueRobin"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8ec6e3b4-b06d-4805-b6aa-af916acc2122",
|
|
"value": "RogueRobin - S0270"
|
|
},
|
|
{
|
|
"description": "[Vasport](https://attack.mitre.org/software/S0207) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Vasport May 2012)",
|
|
"meta": {
|
|
"external_id": "S0207",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0207",
|
|
"https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
|
|
"https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-5938-99"
|
|
],
|
|
"synonyms": [
|
|
"Vasport"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f4d8a2d6-c684-453a-8a14-cf4a94f755c5",
|
|
"value": "Vasport - S0207"
|
|
},
|
|
{
|
|
"description": "[Zeroaccess](https://attack.mitre.org/software/S0027) is a kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that attempts to add victims to the ZeroAccess botnet, often for monetary gain. (Citation: Sophos ZeroAccess)",
|
|
"meta": {
|
|
"external_id": "S0027",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0027",
|
|
"https://sophosnews.files.wordpress.com/2012/04/zeroaccess2.pdf"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "552462b9-ae79-49dd-855c-5973014e157f",
|
|
"value": "Zeroaccess - S0027"
|
|
},
|
|
{
|
|
"description": "[SHIPSHAPE](https://attack.mitre.org/software/S0028) is malware developed by [APT30](https://attack.mitre.org/groups/G0013) that allows propagation and exfiltration of data over removable devices. [APT30](https://attack.mitre.org/groups/G0013) may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)",
|
|
"meta": {
|
|
"external_id": "S0028",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0028",
|
|
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a",
|
|
"value": "SHIPSHAPE - S0028"
|
|
},
|
|
{
|
|
"description": "[Emissary](https://attack.mitre.org/software/S0082) is a Trojan that has been used by [Lotus Blossom](https://attack.mitre.org/groups/G0030). It shares code with [Elise](https://attack.mitre.org/software/S0081), with both Trojans being part of a malware group referred to as LStudio. (Citation: Lotus Blossom Dec 2015)",
|
|
"meta": {
|
|
"external_id": "S0082",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/",
|
|
"https://attack.mitre.org/software/S0082"
|
|
],
|
|
"synonyms": [
|
|
"Emissary"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1",
|
|
"value": "Emissary - S0082"
|
|
},
|
|
{
|
|
"description": "[MirageFox](https://attack.mitre.org/software/S0280) is a remote access tool used against Windows systems. It appears to be an upgraded version of a tool known as Mirage, which is a RAT believed to originate in 2012. (Citation: APT15 Intezer June 2018)",
|
|
"meta": {
|
|
"external_id": "S0280",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0280",
|
|
"https://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/"
|
|
],
|
|
"synonyms": [
|
|
"MirageFox"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e3cedcfe-6515-4348-af65-7f2c4157bf0d",
|
|
"value": "MirageFox - S0280"
|
|
},
|
|
{
|
|
"description": "[Pasam](https://attack.mitre.org/software/S0208) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Pasam May 2012)",
|
|
"meta": {
|
|
"external_id": "S0208",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0208",
|
|
"https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
|
|
"https://www.symantec.com/security_response/writeup.jsp?docid=2012-050412-4128-99"
|
|
],
|
|
"synonyms": [
|
|
"Pasam"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e811ff6a-4cef-4856-a6ae-a7daf9ed39ae",
|
|
"value": "Pasam - S0208"
|
|
},
|
|
{
|
|
"description": "",
|
|
"meta": {
|
|
"external_id": "S0209",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0209"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "81ca4876-b4a4-43e9-b8a9-8a88709dd3d2",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "b42378e0-f147-496f-992a-26a49705395b",
|
|
"type": "revoked-by"
|
|
},
|
|
{
|
|
"dest-uuid": "81ca4876-b4a4-43e9-b8a9-8a88709dd3d2",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "310f437b-29e7-4844-848c-7220868d074a",
|
|
"value": "Darkmoon - S0209"
|
|
},
|
|
{
|
|
"description": "[Gooligan](https://attack.mitre.org/software/S0290) is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. [Gooligan](https://attack.mitre.org/software/S0290) has been described as part of the Ghost Push Android malware family. (Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)",
|
|
"meta": {
|
|
"external_id": "S0290",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/",
|
|
"https://attack.mitre.org/software/S0290",
|
|
"https://blog.lookout.com/blog/2016/12/01/ghost-push-gooligan/",
|
|
"https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi"
|
|
],
|
|
"synonyms": [
|
|
"Gooligan",
|
|
"Ghost Push"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "20d56cd6-8dff-4871-9889-d32d254816de",
|
|
"value": "Gooligan - S0290"
|
|
},
|
|
{
|
|
"description": "[MazarBOT](https://attack.mitre.org/software/S0303) is Android malware that was distributed via SMS in Denmark in 2016. (Citation: Tripwire-MazarBOT)",
|
|
"meta": {
|
|
"external_id": "S0303",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0303",
|
|
"https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5ddf81ea-2c06-497b-8c30-5f1ab89a40f9",
|
|
"value": "MazarBOT - S0303"
|
|
},
|
|
{
|
|
"description": "[NetTraveler](https://attack.mitre.org/software/S0033) is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013. (Citation: Kaspersky NetTraveler)",
|
|
"meta": {
|
|
"external_id": "S0033",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf",
|
|
"https://attack.mitre.org/software/S0033"
|
|
],
|
|
"synonyms": [
|
|
"NetTraveler"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3a26ee44-3224-48f3-aefb-3978c972d928",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "59b70721-6fed-4805-afa5-4ff2554bef81",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "59b70721-6fed-4805-afa5-4ff2554bef81",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "3a26ee44-3224-48f3-aefb-3978c972d928",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e",
|
|
"value": "NetTraveler - S0033"
|
|
},
|
|
{
|
|
"description": "[BUBBLEWRAP](https://attack.mitre.org/software/S0043) is a full-featured, second-stage backdoor used by the [admin@338](https://attack.mitre.org/groups/G0018) group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. (Citation: FireEye admin@338)",
|
|
"meta": {
|
|
"external_id": "S0043",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0043",
|
|
"https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html"
|
|
],
|
|
"synonyms": [
|
|
"BUBBLEWRAP",
|
|
"Backdoor.APT.FakeWinHTTPHelper"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b",
|
|
"value": "BUBBLEWRAP - S0043"
|
|
},
|
|
{
|
|
"description": "[NETEAGLE](https://attack.mitre.org/software/S0034) is a backdoor developed by [APT30](https://attack.mitre.org/groups/G0013) with compile dates as early as 2008. It has two main variants known as \u201cScout\u201d and \u201cNorton.\u201d (Citation: FireEye APT30)",
|
|
"meta": {
|
|
"external_id": "S0034",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0034",
|
|
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
|
|
],
|
|
"synonyms": [
|
|
"NETEAGLE"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3bb8052e-8ed2-48e3-a2cf-7358bae8c6b5",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3bb8052e-8ed2-48e3-a2cf-7358bae8c6b5",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2",
|
|
"value": "NETEAGLE - S0034"
|
|
},
|
|
{
|
|
"description": "[Octopus](https://attack.mitre.org/software/S0340) is a Windows Trojan written in the Delphi programming language that has been used by [Nomadic Octopus](https://attack.mitre.org/groups/G0133) to target government organizations in Central Asia since at least 2014.(Citation: Securelist Octopus Oct 2018)(Citation: Security Affairs DustSquad Oct 2018)(Citation: ESET Nomadic Octopus 2018) ",
|
|
"meta": {
|
|
"external_id": "S0340",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0340",
|
|
"https://securelist.com/octopus-infested-seas-of-central-asia/88200/",
|
|
"https://securityaffairs.co/wordpress/77165/apt/russia-linked-apt-dustsquad.html",
|
|
"https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Octopus"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e2031fd5-02c2-43d4-85e2-b64f474530c2",
|
|
"value": "Octopus - S0340"
|
|
},
|
|
{
|
|
"description": "[Riltok](https://attack.mitre.org/software/S0403) is banking malware that uses phishing popups to collect user credentials.(Citation: Kaspersky Riltok June 2019)",
|
|
"meta": {
|
|
"external_id": "S0403",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0403",
|
|
"https://securelist.com/mobile-banker-riltok/91374/"
|
|
],
|
|
"synonyms": [
|
|
"Riltok"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c0efbaae-9e7d-4716-a92d-68373aac7424",
|
|
"value": "Riltok - S0403"
|
|
},
|
|
{
|
|
"description": "[SPACESHIP](https://attack.mitre.org/software/S0035) is malware developed by [APT30](https://attack.mitre.org/groups/G0013) that allows propagation and exfiltration of data over removable devices. [APT30](https://attack.mitre.org/groups/G0013) may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)",
|
|
"meta": {
|
|
"external_id": "S0035",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0035",
|
|
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
|
|
],
|
|
"synonyms": [
|
|
"SPACESHIP"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8b880b41-5139-4807-baa9-309690218719",
|
|
"value": "SPACESHIP - S0035"
|
|
},
|
|
{
|
|
"description": "[SeaDuke](https://attack.mitre.org/software/S0053) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with [CozyCar](https://attack.mitre.org/software/S0046). (Citation: F-Secure The Dukes)",
|
|
"meta": {
|
|
"external_id": "S0053",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0053",
|
|
"https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf"
|
|
],
|
|
"synonyms": [
|
|
"SeaDuke",
|
|
"SeaDaddy",
|
|
"SeaDesk"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d07212e-6292-40a4-a5e9-30aef83b6207",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d07212e-6292-40a4-a5e9-30aef83b6207",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14",
|
|
"value": "SeaDuke - S0053"
|
|
},
|
|
{
|
|
"description": "[FrameworkPOS](https://attack.mitre.org/software/S0503) is a point of sale (POS) malware used by [FIN6](https://attack.mitre.org/groups/G0037) to steal payment card data from sytems that run physical POS devices.(Citation: SentinelOne FrameworkPOS September 2019)",
|
|
"meta": {
|
|
"external_id": "S0503",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0503",
|
|
"https://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/"
|
|
],
|
|
"synonyms": [
|
|
"FrameworkPOS",
|
|
"Trinity"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "1cdbbcab-903a-414d-8eb0-439a97343737",
|
|
"value": "FrameworkPOS - S0503"
|
|
},
|
|
{
|
|
"description": "[Melcoz](https://attack.mitre.org/software/S0530) is a banking trojan family built from the open source tool Remote Access PC. [Melcoz](https://attack.mitre.org/software/S0530) was first observed in attacks in Brazil and since 2018 has spread to Chile, Mexico, Spain, and Portugal.(Citation: Securelist Brazilian Banking Malware July 2020)",
|
|
"meta": {
|
|
"external_id": "S0530",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0530",
|
|
"https://securelist.com/the-tetrade-brazilian-banking-malware/97779/"
|
|
],
|
|
"synonyms": [
|
|
"Melcoz"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "d3105fb5-c494-4fd1-a7be-414eab9e0c96",
|
|
"value": "Melcoz - S0530"
|
|
},
|
|
{
|
|
"description": "[zwShell](https://attack.mitre.org/software/S0350) is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during [Night Dragon](https://attack.mitre.org/campaigns/C0002).(Citation: McAfee Night Dragon)",
|
|
"meta": {
|
|
"external_id": "S0350",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0350",
|
|
"https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf"
|
|
],
|
|
"synonyms": [
|
|
"zwShell"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "54e8672d-5338-4ad1-954a-a7c986bee530",
|
|
"value": "zwShell - S0350"
|
|
},
|
|
{
|
|
"description": "[BONDUPDATER](https://attack.mitre.org/software/S0360) is a PowerShell backdoor used by [OilRig](https://attack.mitre.org/groups/G0049). It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig Sep 2018)",
|
|
"meta": {
|
|
"external_id": "S0360",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0360",
|
|
"https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/",
|
|
"https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
|
|
],
|
|
"synonyms": [
|
|
"BONDUPDATER"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "d5268dfb-ae2b-4e0e-ac07-02a460613d8a",
|
|
"value": "BONDUPDATER - S0360"
|
|
},
|
|
{
|
|
"description": "[FLASHFLOOD](https://attack.mitre.org/software/S0036) is malware developed by [APT30](https://attack.mitre.org/groups/G0013) that allows propagation and exfiltration of data over removable devices. [APT30](https://attack.mitre.org/groups/G0013) may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)",
|
|
"meta": {
|
|
"external_id": "S0036",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0036",
|
|
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
|
|
],
|
|
"synonyms": [
|
|
"FLASHFLOOD"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a",
|
|
"value": "FLASHFLOOD - S0036"
|
|
},
|
|
{
|
|
"description": "[SHOTPUT](https://attack.mitre.org/software/S0063) is a custom backdoor used by [APT3](https://attack.mitre.org/groups/G0022). (Citation: FireEye Clandestine Wolf)",
|
|
"meta": {
|
|
"external_id": "S0063",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0063",
|
|
"https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html",
|
|
"https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html"
|
|
],
|
|
"synonyms": [
|
|
"SHOTPUT",
|
|
"Backdoor.APT.CookieCutter",
|
|
"Pirpi"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4859330d-c6a5-4b9c-b45b-536ec983cd4a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4859330d-c6a5-4b9c-b45b-536ec983cd4a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb",
|
|
"value": "SHOTPUT - S0063"
|
|
},
|
|
{
|
|
"description": "[Nebulae](https://attack.mitre.org/software/S0630) Is a backdoor that has been used by [Naikon](https://attack.mitre.org/groups/G0019) since at least 2020.(Citation: Bitdefender Naikon April 2021)",
|
|
"meta": {
|
|
"external_id": "S0630",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0630",
|
|
"https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Nebulae"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "22b17791-45bf-45c0-9322-ff1a0af5cf2b",
|
|
"value": "Nebulae - S0630"
|
|
},
|
|
{
|
|
"description": "[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) ",
|
|
"meta": {
|
|
"external_id": "S0603",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0603",
|
|
"https://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01",
|
|
"https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf",
|
|
"https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf",
|
|
"https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Stuxnet",
|
|
"W32.Stuxnet"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "088f1d6e-0783-47c6-9923-9c79b2af43d4",
|
|
"value": "Stuxnet - S0603"
|
|
},
|
|
{
|
|
"description": "[HAMMERTOSS](https://attack.mitre.org/software/S0037) is a backdoor that was used by [APT29](https://attack.mitre.org/groups/G0016) in 2015. (Citation: FireEye APT29) (Citation: F-Secure The Dukes)",
|
|
"meta": {
|
|
"external_id": "S0037",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0037",
|
|
"https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf",
|
|
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf"
|
|
],
|
|
"synonyms": [
|
|
"HAMMERTOSS",
|
|
"HammerDuke",
|
|
"NetDuke"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9c99724c-a483-4d60-ad9d-7f004e42e8e8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4",
|
|
"value": "HAMMERTOSS - S0037"
|
|
},
|
|
{
|
|
"description": "[ASPXSpy](https://attack.mitre.org/software/S0073) is a Web shell. It has been modified by [Threat Group-3390](https://attack.mitre.org/groups/G0027) actors to create the ASPXTool version. (Citation: Dell TG-3390)",
|
|
"meta": {
|
|
"external_id": "S0073",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0073",
|
|
"https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage"
|
|
],
|
|
"synonyms": [
|
|
"ASPXSpy",
|
|
"ASPXTool"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2",
|
|
"value": "ASPXSpy - S0073"
|
|
},
|
|
{
|
|
"description": "[SamSam](https://attack.mitre.org/software/S0370) is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.(Citation: US-CERT SamSam 2018)(Citation: Talos SamSam Jan 2018)(Citation: Sophos SamSam Apr 2018)(Citation: Symantec SamSam Oct 2018)",
|
|
"meta": {
|
|
"external_id": "S0370",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0370",
|
|
"https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html",
|
|
"https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf",
|
|
"https://www.symantec.com/blogs/threat-intelligence/samsam-targeted-ransomware-attacks",
|
|
"https://www.us-cert.gov/ncas/alerts/AA18-337A"
|
|
],
|
|
"synonyms": [
|
|
"SamSam",
|
|
"Samas"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4d56e6e9-1a6d-46e3-896c-dfdf3cc96e62",
|
|
"value": "SamSam - S0370"
|
|
},
|
|
{
|
|
"description": "[StoneDrill](https://attack.mitre.org/software/S0380) is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with [APT33](https://attack.mitre.org/groups/G0064).(Citation: FireEye APT33 Sept 2017)(Citation: Kaspersky StoneDrill 2017)",
|
|
"meta": {
|
|
"external_id": "S0380",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0380",
|
|
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf",
|
|
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html"
|
|
],
|
|
"synonyms": [
|
|
"StoneDrill",
|
|
"DROPSHOT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8dbadf80-468c-4a62-b817-4e4d8b606887",
|
|
"value": "StoneDrill - S0380"
|
|
},
|
|
{
|
|
"description": "[Duqu](https://attack.mitre.org/software/S0038) is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu)",
|
|
"meta": {
|
|
"external_id": "S0038",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0038",
|
|
"https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Duqu"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "809b54c3-dd6a-4ec9-8c3a-a27b9baa6732",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "809b54c3-dd6a-4ec9-8c3a-a27b9baa6732",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
|
|
"value": "Duqu - S0038"
|
|
},
|
|
{
|
|
"description": "[Misdat](https://attack.mitre.org/software/S0083) is a backdoor that was used in [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) from 2010 to 2011.(Citation: Cylance Dust Storm)",
|
|
"meta": {
|
|
"external_id": "S0083",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0083",
|
|
"https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Misdat"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1597713-fe7a-45bd-8b59-1a13c7e097d8",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1597713-fe7a-45bd-8b59-1a13c7e097d8",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039",
|
|
"value": "Misdat - S0083"
|
|
},
|
|
{
|
|
"description": "[Adups](https://attack.mitre.org/software/S0309) is software that was pre-installed onto Android devices, including those made by BLU Products. The software was reportedly designed to help a Chinese phone manufacturer monitor user behavior, transferring sensitive data to a Chinese server. (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)",
|
|
"meta": {
|
|
"external_id": "S0309",
|
|
"refs": [
|
|
"http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534",
|
|
"https://attack.mitre.org/software/S0309",
|
|
"https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9558a84e-2d5e-4872-918e-d847494a8ffc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
|
|
"value": "Adups - S0309"
|
|
},
|
|
{
|
|
"description": "[SQLRat](https://attack.mitre.org/software/S0390) is malware that executes SQL scripts to avoid leaving traditional host artifacts. [FIN7](https://attack.mitre.org/groups/G0046) has been observed using it.(Citation: Flashpoint FIN 7 March 2019)",
|
|
"meta": {
|
|
"external_id": "S0390",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0390",
|
|
"https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/"
|
|
],
|
|
"synonyms": [
|
|
"SQLRat"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8fc6c9e7-a162-4ca4-a488-f1819e9a7b06",
|
|
"value": "SQLRat - S0390"
|
|
},
|
|
{
|
|
"description": "[JHUHUGIT](https://attack.mitre.org/software/S0044) is malware used by [APT28](https://attack.mitre.org/groups/G0007). It is based on Carberp source code and serves as reconnaissance malware. (Citation: Kaspersky Sofacy) (Citation: F-Secure Sofacy 2015) (Citation: ESET Sednit Part 1) (Citation: FireEye APT28 January 2017)",
|
|
"meta": {
|
|
"external_id": "S0044",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf",
|
|
"https://attack.mitre.org/software/S0044",
|
|
"https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html",
|
|
"https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/",
|
|
"https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/",
|
|
"https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/",
|
|
"https://www.symantec.com/blogs/election-security/apt28-espionage-military-government",
|
|
"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
|
|
],
|
|
"synonyms": [
|
|
"JHUHUGIT",
|
|
"Trojan.Sofacy",
|
|
"Seduploader",
|
|
"JKEYSKW",
|
|
"Sednit",
|
|
"GAMEFISH",
|
|
"SofacyCarberp"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2",
|
|
"value": "JHUHUGIT - S0044"
|
|
},
|
|
{
|
|
"description": "[SHARPSTATS](https://attack.mitre.org/software/S0450) is a .NET backdoor used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2019.(Citation: TrendMicro POWERSTATS V3 June 2019)",
|
|
"meta": {
|
|
"external_id": "S0450",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0450",
|
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/"
|
|
],
|
|
"synonyms": [
|
|
"SHARPSTATS"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "73c4711b-407a-449d-b269-e3b1531fe7a9",
|
|
"value": "SHARPSTATS - S0450"
|
|
},
|
|
{
|
|
"description": "[ADVSTORESHELL](https://attack.mitre.org/software/S0045) is a spying backdoor that has been used by [APT28](https://attack.mitre.org/groups/G0007) from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 2)",
|
|
"meta": {
|
|
"external_id": "S0045",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf",
|
|
"https://attack.mitre.org/software/S0045",
|
|
"https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/"
|
|
],
|
|
"synonyms": [
|
|
"ADVSTORESHELL",
|
|
"AZZY",
|
|
"EVILTOSS",
|
|
"NETUI",
|
|
"Sedreco"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "21ab9e14-602a-4a76-a308-dbf5d6a91d75",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6374fc53-9a0d-41ba-b9cf-2a9765d69fbb",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6374fc53-9a0d-41ba-b9cf-2a9765d69fbb",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "21ab9e14-602a-4a76-a308-dbf5d6a91d75",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
|
|
"value": "ADVSTORESHELL - S0045"
|
|
},
|
|
{
|
|
"description": "[Asacub](https://attack.mitre.org/software/S0540) is a banking trojan that attempts to steal money from victims\u2019 bank accounts. It attempts to do this by initiating a wire transfer via SMS message from compromised devices.(Citation: Securelist Asacub)",
|
|
"meta": {
|
|
"external_id": "S0540",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0540",
|
|
"https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"
|
|
],
|
|
"synonyms": [
|
|
"Asacub",
|
|
"Trojan-SMS.AndroidOS.Smaps"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "52eff1c7-dd30-4121-b762-24ae6fa61bbb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a76b837b-93cc-417d-bf28-c47a6a284fa4",
|
|
"value": "Asacub - S0540"
|
|
},
|
|
{
|
|
"description": "[Anchor](https://attack.mitre.org/software/S0504) is one of a family of backdoor malware that has been used in conjunction with [TrickBot](https://attack.mitre.org/software/S0266) on selected high profile targets since at least 2018.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020)",
|
|
"meta": {
|
|
"external_id": "S0504",
|
|
"mitre_platforms": [
|
|
"Linux",
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0504",
|
|
"https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30",
|
|
"https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware"
|
|
],
|
|
"synonyms": [
|
|
"Anchor",
|
|
"Anchor_DNS"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5f1d4579-4e8f-48e7-860e-2da773ae432e",
|
|
"value": "Anchor - S0504"
|
|
},
|
|
{
|
|
"description": "[CloudDuke](https://attack.mitre.org/software/S0054) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) in 2015. (Citation: F-Secure The Dukes) (Citation: Securelist Minidionis July 2015)",
|
|
"meta": {
|
|
"external_id": "S0054",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0054",
|
|
"https://securelist.com/minidionis-one-more-apt-with-a-usage-of-cloud-drives/71443/",
|
|
"https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf"
|
|
],
|
|
"synonyms": [
|
|
"CloudDuke",
|
|
"MiniDionis",
|
|
"CloudLook"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "cbf646f1-7db5-4dc6-808b-0094313949df",
|
|
"value": "CloudDuke - S0054"
|
|
},
|
|
{
|
|
"description": "[Exodus](https://attack.mitre.org/software/S0405) is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).(Citation: SWB Exodus March 2019)",
|
|
"meta": {
|
|
"external_id": "S0405",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0405",
|
|
"https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
|
|
],
|
|
"synonyms": [
|
|
"Exodus",
|
|
"Exodus One",
|
|
"Exodus Two"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "948a447c-d783-4ba0-8516-a64140fcacd5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9fa0d30-a8ff-45bf-922e-7720da0b7922",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "3049b2f2-e323-4cdb-91cb-13b37b904cbb",
|
|
"value": "Exodus - S0405"
|
|
},
|
|
{
|
|
"description": "[Avaddon](https://attack.mitre.org/software/S0640) is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.(Citation: Awake Security Avaddon)(Citation: Arxiv Avaddon Feb 2021)",
|
|
"meta": {
|
|
"external_id": "S0640",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://arxiv.org/pdf/2102.04796.pdf",
|
|
"https://attack.mitre.org/software/S0640",
|
|
"https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/"
|
|
],
|
|
"synonyms": [
|
|
"Avaddon"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "58c5a3a1-928f-4094-9e98-a5a4e56dd5f3",
|
|
"value": "Avaddon - S0640"
|
|
},
|
|
{
|
|
"description": "[CozyCar](https://attack.mitre.org/software/S0046) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. (Citation: F-Secure The Dukes)",
|
|
"meta": {
|
|
"external_id": "S0046",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0046",
|
|
"https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf"
|
|
],
|
|
"synonyms": [
|
|
"CozyCar",
|
|
"CozyDuke",
|
|
"CozyBear",
|
|
"Cozer",
|
|
"EuroAPT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754",
|
|
"value": "CozyCar - S0046"
|
|
},
|
|
{
|
|
"description": "[ELMER](https://attack.mitre.org/software/S0064) is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by [APT16](https://attack.mitre.org/groups/G0023). (Citation: FireEye EPS Awakens Part 2)",
|
|
"meta": {
|
|
"external_id": "S0064",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0064",
|
|
"https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html"
|
|
],
|
|
"synonyms": [
|
|
"ELMER"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c",
|
|
"value": "ELMER - S0064"
|
|
},
|
|
{
|
|
"description": "[Gustuff](https://attack.mitre.org/software/S0406) is mobile malware designed to steal users' banking and virtual currency credentials.(Citation: Talos Gustuff Apr 2019)",
|
|
"meta": {
|
|
"external_id": "S0406",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0406",
|
|
"https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"
|
|
],
|
|
"synonyms": [
|
|
"Gustuff"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1d44f529-6fe6-489f-8a01-6261ac43f05e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "51636761-2e35-44bf-9e56-e337adf97174",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "ff8e0c38-be47-410f-a2d3-a3d24a87c617",
|
|
"value": "Gustuff - S0406"
|
|
},
|
|
{
|
|
"description": "[Industroyer](https://attack.mitre.org/software/S0604) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) [Industroyer](https://attack.mitre.org/software/S0604) was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018)",
|
|
"meta": {
|
|
"external_id": "S0604",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0604",
|
|
"https://dragos.com/blog/crashoverride/CrashOverride-01.pdf",
|
|
"https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf",
|
|
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Industroyer",
|
|
"CRASHOVERRIDE",
|
|
"Win32/Industroyer"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e401d4fe-f0c9-44f0-98e6-f93487678808",
|
|
"value": "Industroyer - S0604"
|
|
},
|
|
{
|
|
"description": "[BBK](https://attack.mitre.org/software/S0470) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)",
|
|
"meta": {
|
|
"external_id": "S0470",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0470",
|
|
"https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf"
|
|
],
|
|
"synonyms": [
|
|
"BBK"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f0fc920e-57a3-4af5-89be-9ea594c8b1ea",
|
|
"value": "BBK - S0470"
|
|
},
|
|
{
|
|
"description": "[Monokle](https://attack.mitre.org/software/S0407) is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.(Citation: Lookout-Monokle)",
|
|
"meta": {
|
|
"external_id": "S0407",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0407",
|
|
"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Monokle"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "08e22979-d320-48ed-8711-e7bf94aabb13",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9fa0d30-a8ff-45bf-922e-7720da0b7922",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ccde43e4-78f9-4f32-b401-c081e7db71ea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2c2249a-eb82-4614-8dd4-9c514dde65e2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
|
|
"value": "Monokle - S0407"
|
|
},
|
|
{
|
|
"description": "[Sakula](https://attack.mitre.org/software/S0074) is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015. (Citation: Dell Sakula)",
|
|
"meta": {
|
|
"external_id": "S0074",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/",
|
|
"https://attack.mitre.org/software/S0074"
|
|
],
|
|
"synonyms": [
|
|
"Sakula",
|
|
"Sakurel",
|
|
"VIPER"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3eca2d5f-41bf-4ad4-847f-df18befcdc44",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "f6c137f0-979c-4ce2-a0e5-2a080a5a1746",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "3eca2d5f-41bf-4ad4-847f-df18befcdc44",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "f6c137f0-979c-4ce2-a0e5-2a080a5a1746",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "96b08451-b27a-4ff6-893f-790e26393a8e",
|
|
"value": "Sakula - S0074"
|
|
},
|
|
{
|
|
"description": "[Cerberus](https://attack.mitre.org/software/S0480) is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of [Cerberus](https://attack.mitre.org/software/S0480) claim was used in private operations for two years.(Citation: Threat Fabric Cerberus)",
|
|
"meta": {
|
|
"external_id": "S0480",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0480",
|
|
"https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"
|
|
],
|
|
"synonyms": [
|
|
"Cerberus"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "948a447c-d783-4ba0-8516-a64140fcacd5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "037f44f0-0c07-4c7f-b40e-0325b5b228a9",
|
|
"value": "Cerberus - S0480"
|
|
},
|
|
{
|
|
"description": "[PinchDuke](https://attack.mitre.org/software/S0048) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2008 to 2010. (Citation: F-Secure The Dukes)",
|
|
"meta": {
|
|
"external_id": "S0048",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0048",
|
|
"https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf"
|
|
],
|
|
"synonyms": [
|
|
"PinchDuke"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164",
|
|
"value": "PinchDuke - S0048"
|
|
},
|
|
{
|
|
"description": "[GeminiDuke](https://attack.mitre.org/software/S0049) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2009 to 2012. (Citation: F-Secure The Dukes)",
|
|
"meta": {
|
|
"external_id": "S0049",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0049",
|
|
"https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf"
|
|
],
|
|
"synonyms": [
|
|
"GeminiDuke"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6a28a648-30c0-4d1d-bd67-81a8dc6486ba",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6a28a648-30c0-4d1d-bd67-81a8dc6486ba",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6",
|
|
"value": "GeminiDuke - S0049"
|
|
},
|
|
{
|
|
"description": "[Machete](https://attack.mitre.org/software/S0409) is a cyber espionage toolset used by [Machete](https://attack.mitre.org/groups/G0095). It is a Python-based backdoor targeting Windows machines that was first observed in 2010.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)(Citation: 360 Machete Sep 2020)",
|
|
"meta": {
|
|
"external_id": "S0409",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0409",
|
|
"https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/",
|
|
"https://securelist.com/el-machete/66108/",
|
|
"https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Machete",
|
|
"Pyark"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "35cd1d01-1ede-44d2-b073-a264d727bc04",
|
|
"value": "Machete - S0409"
|
|
},
|
|
{
|
|
"description": "[DoubleAgent](https://attack.mitre.org/software/S0550) is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.(Citation: Lookout Uyghur Campaign)",
|
|
"meta": {
|
|
"external_id": "S0550",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0550",
|
|
"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
|
|
],
|
|
"synonyms": [
|
|
"DoubleAgent"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "3d6c4389-3489-40a3-beda-c56e650b6f68",
|
|
"value": "DoubleAgent - S0550"
|
|
},
|
|
{
|
|
"description": "[RARSTONE](https://attack.mitre.org/software/S0055) is malware used by the [Naikon](https://attack.mitre.org/groups/G0019) group that has some characteristics similar to [PlugX](https://attack.mitre.org/software/S0013). (Citation: Aquino RARSTONE)",
|
|
"meta": {
|
|
"external_id": "S0055",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://blog.trendmicro.com/trendlabs-security-intelligence/rarstone-found-in-targeted-attacks/",
|
|
"https://attack.mitre.org/software/S0055"
|
|
],
|
|
"synonyms": [
|
|
"RARSTONE"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "5d2dd6ad-6bb2-45d3-b295-e125d3399c8d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5d2dd6ad-6bb2-45d3-b295-e125d3399c8d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8c553311-0baa-4146-997a-f79acef3d831",
|
|
"value": "RARSTONE - S0055"
|
|
},
|
|
{
|
|
"description": "[TEARDROP](https://attack.mitre.org/software/S0560) is a memory-only dropper that was discovered on some victim machines during investigations related to the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024). It was likely used by [APT29](https://attack.mitre.org/groups/G0016) since at least May 2020.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Deep Dive Solorigate January 2021)",
|
|
"meta": {
|
|
"external_id": "S0560",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0560",
|
|
"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
|
|
"https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/"
|
|
],
|
|
"synonyms": [
|
|
"TEARDROP"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "32f49626-87f4-4d6c-8f59-a0dca953fe26",
|
|
"value": "TEARDROP - S0560"
|
|
},
|
|
{
|
|
"description": "[EKANS](https://attack.mitre.org/software/S0605) is ransomware variant written in Golang that first appeared in mid-December 2019 and has been used against multiple sectors, including energy, healthcare, and automotive manufacturing, which in some cases resulted in significant operational disruptions. [EKANS](https://attack.mitre.org/software/S0605) has used a hard-coded kill-list of processes, including some associated with common ICS software platforms (e.g., GE Proficy, Honeywell HMIWeb, etc), similar to those defined in [MegaCortex](https://attack.mitre.org/software/S0576).(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)",
|
|
"meta": {
|
|
"external_id": "S0605",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0605",
|
|
"https://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/",
|
|
"https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/",
|
|
"https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html"
|
|
],
|
|
"synonyms": [
|
|
"EKANS",
|
|
"SNAKEHOSE"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "00e7d565-9883-4ee5-b642-8fd17fd6a3f5",
|
|
"value": "EKANS - S0605"
|
|
},
|
|
{
|
|
"description": "[ViperRAT](https://attack.mitre.org/software/S0506) is sophisticated surveillanceware that has been in operation since at least 2015 and was used to target the Israeli Defense Force.(Citation: Lookout ViperRAT) ",
|
|
"meta": {
|
|
"external_id": "S0506",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0506",
|
|
"https://blog.lookout.com/viperrat-mobile-apt"
|
|
],
|
|
"synonyms": [
|
|
"ViperRAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f666e17c-b290-43b3-8947-b96bd5148fbb",
|
|
"value": "ViperRAT - S0506"
|
|
},
|
|
{
|
|
"description": "[QakBot](https://attack.mitre.org/software/S0650) is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. [QakBot](https://attack.mitre.org/software/S0650) is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably [ProLock](https://attack.mitre.org/software/S0654) and [Egregor](https://attack.mitre.org/software/S0554).(Citation: Trend Micro Qakbot December 2020)(Citation: Red Canary Qbot)(Citation: Kaspersky QakBot September 2021)(Citation: ATT QakBot April 2021)",
|
|
"meta": {
|
|
"external_id": "S0650",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0650",
|
|
"https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot",
|
|
"https://redcanary.com/threat-detection-report/threats/qbot/",
|
|
"https://securelist.com/qakbot-technical-analysis/103931/",
|
|
"https://success.trendmicro.com/solution/000283381"
|
|
],
|
|
"synonyms": [
|
|
"QakBot",
|
|
"Pinkslipbot",
|
|
"QuackBot",
|
|
"QBot"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4dc46e3-5ba5-45b9-8204-010867cacfcb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "edc5e045-5401-42bb-ad92-52b5b2ee0de9",
|
|
"value": "QakBot - S0650"
|
|
},
|
|
{
|
|
"description": "[BitPaymer](https://attack.mitre.org/software/S0570) is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. [BitPaymer](https://attack.mitre.org/software/S0570) uses a unique encryption key, ransom note, and contact information for each operation. [BitPaymer](https://attack.mitre.org/software/S0570) has several indicators suggesting overlap with the [Dridex](https://attack.mitre.org/software/S0384) malware and is often delivered via [Dridex](https://attack.mitre.org/software/S0384).(Citation: Crowdstrike Indrik November 2018)",
|
|
"meta": {
|
|
"external_id": "S0570",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0570",
|
|
"https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/"
|
|
],
|
|
"synonyms": [
|
|
"BitPaymer",
|
|
"wp_encrypt",
|
|
"FriedEx"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "fa766a65-5136-4ff3-8429-36d08eaa0100",
|
|
"value": "BitPaymer - S0570"
|
|
},
|
|
{
|
|
"description": "[eSurv](https://attack.mitre.org/software/S0507) is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.(Citation: Lookout eSurv)",
|
|
"meta": {
|
|
"external_id": "S0507",
|
|
"mitre_platforms": [
|
|
"Android",
|
|
"iOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0507",
|
|
"https://blog.lookout.com/esurv-research"
|
|
],
|
|
"synonyms": [
|
|
"eSurv"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e422b6fa-4739-46b9-992e-82f1b350c780",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "680f680c-eef9-4f8a-b5f5-f451bf47e403",
|
|
"value": "eSurv - S0507"
|
|
},
|
|
{
|
|
"description": "[SslMM](https://attack.mitre.org/software/S0058) is a full-featured backdoor used by [Naikon](https://attack.mitre.org/groups/G0019) that has multiple variants. (Citation: Baumgartner Naikon 2015)",
|
|
"meta": {
|
|
"external_id": "S0058",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0058",
|
|
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf"
|
|
],
|
|
"synonyms": [
|
|
"SslMM"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "009db412-762d-4256-8df9-eb213be01ffd",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "009db412-762d-4256-8df9-eb213be01ffd",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421",
|
|
"value": "SslMM - S0058"
|
|
},
|
|
{
|
|
"description": "[FakeSpy](https://attack.mitre.org/software/S0509) is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.(Citation: Cybereason FakeSpy)",
|
|
"meta": {
|
|
"external_id": "S0509",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0509",
|
|
"https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"
|
|
],
|
|
"synonyms": [
|
|
"FakeSpy"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "838f647e-8ff8-48bd-bbd5-613cee7736cb",
|
|
"value": "FakeSpy - S0509"
|
|
},
|
|
{
|
|
"description": "[WinMM](https://attack.mitre.org/software/S0059) is a full-featured, simple backdoor used by [Naikon](https://attack.mitre.org/groups/G0019). (Citation: Baumgartner Naikon 2015)",
|
|
"meta": {
|
|
"external_id": "S0059",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0059",
|
|
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf"
|
|
],
|
|
"synonyms": [
|
|
"WinMM"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6a100902-7204-4f20-b838-545ed86d4428",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6a100902-7204-4f20-b838-545ed86d4428",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "22addc7b-b39f-483d-979a-1b35147da5de",
|
|
"value": "WinMM - S0059"
|
|
},
|
|
{
|
|
"description": "[Clambling](https://attack.mitre.org/software/S0660) is a modular backdoor written in C++ that has been used by [Threat Group-3390](https://attack.mitre.org/groups/G0027) since at least 2017.(Citation: Trend Micro DRBControl February 2020)",
|
|
"meta": {
|
|
"external_id": "S0660",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0660",
|
|
"https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Clambling"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "6e95feb1-78ee-48d3-b421-4d76663b5c49",
|
|
"value": "Clambling - S0660"
|
|
},
|
|
{
|
|
"description": "[WarzoneRAT](https://attack.mitre.org/software/S0670) is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)",
|
|
"meta": {
|
|
"external_id": "S0670",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0670",
|
|
"https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/",
|
|
"https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique"
|
|
],
|
|
"synonyms": [
|
|
"WarzoneRAT",
|
|
"Warzone",
|
|
"Ave Maria"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01327cde-66c4-4123-bf34-5f258d59457b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "fde19a18-e502-467f-be14-58c71b4e7f4b",
|
|
"value": "WarzoneRAT - S0670"
|
|
},
|
|
{
|
|
"description": "[KillDisk](https://attack.mitre.org/software/S0607) is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of [BlackEnergy](https://attack.mitre.org/software/S0089) malware during cyber attacks against Ukraine in 2015. [KillDisk](https://attack.mitre.org/software/S0607) has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some [KillDisk](https://attack.mitre.org/software/S0607) variants.(Citation: KillDisk Ransomware)(Citation: ESEST Black Energy Jan 2016)(Citation: Trend Micro KillDisk 1)(Citation: Trend Micro KillDisk 2)",
|
|
"meta": {
|
|
"external_id": "S0607",
|
|
"mitre_platforms": [
|
|
"Linux",
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/",
|
|
"https://attack.mitre.org/software/S0607",
|
|
"https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/",
|
|
"https://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html",
|
|
"https://www.trendmicro.com/en_us/research/18/f/new-killdisk-variant-hits-latin-american-financial-organizations-again.html"
|
|
],
|
|
"synonyms": [
|
|
"KillDisk",
|
|
"Win32/KillDisk.NBI",
|
|
"Win32/KillDisk.NBH",
|
|
"Win32/KillDisk.NBD",
|
|
"Win32/KillDisk.NBC",
|
|
"Win32/KillDisk.NBB"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e221eb77-1502-4129-af1d-fe1ad55e7ec6",
|
|
"value": "KillDisk - S0607"
|
|
},
|
|
{
|
|
"description": "[FakeM](https://attack.mitre.org/software/S0076) is a shellcode-based Windows backdoor that has been used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029). (Citation: Scarlet Mimic Jan 2016)",
|
|
"meta": {
|
|
"external_id": "S0076",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/",
|
|
"https://attack.mitre.org/software/S0076"
|
|
],
|
|
"synonyms": [
|
|
"FakeM"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "bb3c1098-d654-4620-bf40-694386d28921",
|
|
"value": "FakeM - S0076"
|
|
},
|
|
{
|
|
"description": "[pngdowner](https://attack.mitre.org/software/S0067) is malware used by [Putter Panda](https://attack.mitre.org/groups/G0024). It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple \"download-and-\nexecute\" utility. (Citation: CrowdStrike Putter Panda)",
|
|
"meta": {
|
|
"external_id": "S0067",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf",
|
|
"https://attack.mitre.org/software/S0067"
|
|
],
|
|
"synonyms": [
|
|
"pngdowner"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fb4313ea-1fb6-4766-8b5c-b41fd347e4c5",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "fb4313ea-1fb6-4766-8b5c-b41fd347e4c5",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d",
|
|
"value": "pngdowner - S0067"
|
|
},
|
|
{
|
|
"description": "[Conficker](https://attack.mitre.org/software/S0608) is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.(Citation: SANS Conficker) In 2016, a variant of [Conficker](https://attack.mitre.org/software/S0608) made its way on computers and removable disk drives belonging to a nuclear power plant.(Citation: Conficker Nuclear Power Plant)",
|
|
"meta": {
|
|
"external_id": "S0608",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0608",
|
|
"https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml",
|
|
"https://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm"
|
|
],
|
|
"synonyms": [
|
|
"Conficker",
|
|
"Kido",
|
|
"Downadup"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "58eddbaf-7416-419a-ad7b-e65b9d4c3b55",
|
|
"value": "Conficker - S0608"
|
|
},
|
|
{
|
|
"description": "[LitePower](https://attack.mitre.org/software/S0680) is a downloader and second stage malware that has been used by [WIRTE](https://attack.mitre.org/groups/G0090) since at least 2021.(Citation: Kaspersky WIRTE November 2021)",
|
|
"meta": {
|
|
"external_id": "S0680",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0680",
|
|
"https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044"
|
|
],
|
|
"synonyms": [
|
|
"LitePower"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "9020f5c7-efde-4125-a4f1-1b70f1274ddd",
|
|
"value": "LitePower - S0680"
|
|
},
|
|
{
|
|
"description": "[ZLib](https://attack.mitre.org/software/S0086) is a full-featured backdoor that was used as a second-stage implant during [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) since at least 2014. [ZLib](https://attack.mitre.org/software/S0086) is malware and should not be confused with the legitimate compression library from which its name is derived.(Citation: Cylance Dust Storm)",
|
|
"meta": {
|
|
"external_id": "S0086",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0086",
|
|
"https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"
|
|
],
|
|
"synonyms": [
|
|
"ZLib"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "166c0eca-02fd-424a-92c0-6b5106994d31",
|
|
"value": "ZLib - S0086"
|
|
},
|
|
{
|
|
"description": "[httpclient](https://attack.mitre.org/software/S0068) is malware used by [Putter Panda](https://attack.mitre.org/groups/G0024). It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool. (Citation: CrowdStrike Putter Panda)",
|
|
"meta": {
|
|
"external_id": "S0068",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf",
|
|
"https://attack.mitre.org/software/S0068"
|
|
],
|
|
"synonyms": [
|
|
"httpclient"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0",
|
|
"value": "httpclient - S0068"
|
|
},
|
|
{
|
|
"description": "[BLACKCOFFEE](https://attack.mitre.org/software/S0069) is malware that has been used by several Chinese groups since at least 2013. (Citation: FireEye APT17) (Citation: FireEye Periscope March 2018)",
|
|
"meta": {
|
|
"external_id": "S0069",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0069",
|
|
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html",
|
|
"https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf"
|
|
],
|
|
"synonyms": [
|
|
"BLACKCOFFEE"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43",
|
|
"value": "BLACKCOFFEE - S0069"
|
|
},
|
|
{
|
|
"description": "This entry was deprecated as it was inadvertently added to Enterprise; a similar Software entry was created for ATT&CK for ICS.\n\n[TRITON](https://attack.mitre.org/software/S0609) is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. [TRITON](https://attack.mitre.org/software/S0609) was deployed against at least one target in the Middle East. (Citation: FireEye TRITON 2017)(Citation: FireEye TRITON 2018)(Citation: Dragos TRISIS)(Citation: CISA HatMan)(Citation: FireEye TEMP.Veles 2018)",
|
|
"meta": {
|
|
"external_id": "S0609",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0609",
|
|
"https://us-cert.cisa.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf",
|
|
"https://www.dragos.com/wp-content/uploads/TRISIS-01.pdf",
|
|
"https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html",
|
|
"https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-TRITON-and-tristation.html",
|
|
"https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html"
|
|
],
|
|
"synonyms": [
|
|
"TRITON",
|
|
"HatMan",
|
|
"TRISIS"
|
|
]
|
|
},
|
|
"related": [],
|
|
"uuid": "93ae2edf-a598-4d2d-acd7-bcae0c021923",
|
|
"value": "TRITON - S0609"
|
|
},
|
|
{
|
|
"description": "[CallMe](https://attack.mitre.org/software/S0077) is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell. (Citation: Scarlet Mimic Jan 2016)",
|
|
"meta": {
|
|
"external_id": "S0077",
|
|
"mitre_platforms": [
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/",
|
|
"https://attack.mitre.org/software/S0077"
|
|
],
|
|
"synonyms": [
|
|
"CallMe"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5",
|
|
"value": "CallMe - S0077"
|
|
},
|
|
{
|
|
"description": "[Psylo](https://attack.mitre.org/software/S0078) is a shellcode-based Trojan that has been used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029). It has similar characteristics as [FakeM](https://attack.mitre.org/software/S0076). (Citation: Scarlet Mimic Jan 2016)",
|
|
"meta": {
|
|
"external_id": "S0078",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/",
|
|
"https://attack.mitre.org/software/S0078"
|
|
],
|
|
"synonyms": [
|
|
"Psylo"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b",
|
|
"value": "Psylo - S0078"
|
|
},
|
|
{
|
|
"description": "[MobileOrder](https://attack.mitre.org/software/S0079) is a Trojan intended to compromise Android mobile devices. It has been used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029). (Citation: Scarlet Mimic Jan 2016)",
|
|
"meta": {
|
|
"external_id": "S0079",
|
|
"refs": [
|
|
"http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/",
|
|
"https://attack.mitre.org/software/S0079"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4",
|
|
"value": "MobileOrder - S0079"
|
|
},
|
|
{
|
|
"description": "[Kasidet](https://attack.mitre.org/software/S0088) is a backdoor that has been dropped by using malicious VBA macros. (Citation: Zscaler Kasidet)",
|
|
"meta": {
|
|
"external_id": "S0088",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html",
|
|
"https://attack.mitre.org/software/S0088"
|
|
],
|
|
"synonyms": [
|
|
"Kasidet"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3760920e-4d1a-40d8-9e60-508079499076",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3760920e-4d1a-40d8-9e60-508079499076",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2",
|
|
"value": "Kasidet - S0088"
|
|
},
|
|
{
|
|
"description": "[BlackEnergy](https://attack.mitre.org/software/S0089) is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. (Citation: F-Secure BlackEnergy 2014)",
|
|
"meta": {
|
|
"external_id": "S0089",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0089",
|
|
"https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf"
|
|
],
|
|
"synonyms": [
|
|
"BlackEnergy",
|
|
"Black Energy"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "565275d5-fcc3-4b66-b4e7-928e4cac6b8c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5a22cad7-65fa-4b7a-a7aa-7915a6101efa",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "82c644ab-550a-4a83-9b35-d545f4719069",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5a22cad7-65fa-4b7a-a7aa-7915a6101efa",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "82c644ab-550a-4a83-9b35-d545f4719069",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
|
|
"value": "BlackEnergy - S0089"
|
|
},
|
|
{
|
|
"description": "[H1N1](https://attack.mitre.org/software/S0132) is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality. (Citation: Cisco H1N1 Part 1)",
|
|
"meta": {
|
|
"external_id": "S0132",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities",
|
|
"https://attack.mitre.org/software/S0132"
|
|
],
|
|
"synonyms": [
|
|
"H1N1"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd",
|
|
"value": "H1N1 - S0132"
|
|
},
|
|
{
|
|
"description": "[Tarrask](https://attack.mitre.org/software/S1011) is malware that has been used by [HAFNIUM](https://attack.mitre.org/groups/G0125) since at least August 2021. [Tarrask](https://attack.mitre.org/software/S1011) was designed to evade digital defenses and maintain persistence by generating concealed scheduled tasks.(Citation: Tarrask scheduled task)",
|
|
"meta": {
|
|
"external_id": "S1011",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1011",
|
|
"https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/"
|
|
],
|
|
"synonyms": [
|
|
"Tarrask"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "988976ff-beeb-4fb5-b07d-ca7437ea66e8",
|
|
"value": "Tarrask - S1011"
|
|
},
|
|
{
|
|
"description": "[ROCKBOOT](https://attack.mitre.org/software/S0112) is a [Bootkit](https://attack.mitre.org/techniques/T1542/003) that has been used by an unidentified, suspected China-based group. (Citation: FireEye Bootkits)",
|
|
"meta": {
|
|
"external_id": "S0112",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0112",
|
|
"https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html"
|
|
],
|
|
"synonyms": [
|
|
"ROCKBOOT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "cba78a1c-186f-4112-9e6a-be1839f030f7",
|
|
"value": "ROCKBOOT - S0112"
|
|
},
|
|
{
|
|
"description": "[DnsSystem](https://attack.mitre.org/software/S1021) is a .NET based DNS backdoor, which is a customized version of the open source tool DIG.net, that has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least June 2022.(Citation: Zscaler Lyceum DnsSystem June 2022)",
|
|
"meta": {
|
|
"external_id": "S1021",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1021",
|
|
"https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor"
|
|
],
|
|
"synonyms": [
|
|
"DnsSystem"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8a2867f9-e8fc-4bf1-a860-ef6e46311900",
|
|
"value": "DnsSystem - S1021"
|
|
},
|
|
{
|
|
"description": "[PowerLess](https://attack.mitre.org/software/S1012) is a PowerShell-based modular backdoor that has been used by [Magic Hound](https://attack.mitre.org/groups/G0059) since at least 2022.(Citation: Cybereason PowerLess February 2022)",
|
|
"meta": {
|
|
"external_id": "S1012",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1012",
|
|
"https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage"
|
|
],
|
|
"synonyms": [
|
|
"PowerLess"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "35ee9bf3-264b-4411-8a8f-b58cec8f35e4",
|
|
"value": "PowerLess - S1012"
|
|
},
|
|
{
|
|
"description": "[Linfo](https://attack.mitre.org/software/S0211) is a rootkit trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Linfo May 2012)",
|
|
"meta": {
|
|
"external_id": "S0211",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0211",
|
|
"https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
|
|
"https://www.symantec.com/security_response/writeup.jsp?docid=2012-051605-2535-99"
|
|
],
|
|
"synonyms": [
|
|
"Linfo"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e9e9bfe2-76f4-4870-a2a1-b7af89808613",
|
|
"value": "Linfo - S0211"
|
|
},
|
|
{
|
|
"description": "[PS1](https://attack.mitre.org/software/S0613) is a loader that was used to deploy 64-bit backdoors in the [CostaRicto](https://attack.mitre.org/groups/G0132) campaign.(Citation: BlackBerry CostaRicto November 2020)",
|
|
"meta": {
|
|
"external_id": "S0613",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0613",
|
|
"https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced"
|
|
],
|
|
"synonyms": [
|
|
"PS1"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "13183cdf-280b-46be-913a-5c6df47831e7",
|
|
"value": "PS1 - S0613"
|
|
},
|
|
{
|
|
"description": "[TINYTYPHON](https://attack.mitre.org/software/S0131) is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. (Citation: Forcepoint Monsoon)",
|
|
"meta": {
|
|
"external_id": "S0131",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0131",
|
|
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca",
|
|
"value": "TINYTYPHON - S0131"
|
|
},
|
|
{
|
|
"description": "[PingPull](https://attack.mitre.org/software/S1031) is a remote access Trojan (RAT) written in Visual C++ that has been used by [GALLIUM](https://attack.mitre.org/groups/G0093) since at least June 2022. [PingPull](https://attack.mitre.org/software/S1031) has been used to target telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.(Citation: Unit 42 PingPull Jun 2022)",
|
|
"meta": {
|
|
"external_id": "S1031",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1031",
|
|
"https://unit42.paloaltonetworks.com/pingpull-gallium/"
|
|
],
|
|
"synonyms": [
|
|
"PingPull"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "3a0f6128-0a01-421d-8eca-e57d8671b1f1",
|
|
"value": "PingPull - S1031"
|
|
},
|
|
{
|
|
"description": "[Prikormka](https://attack.mitre.org/software/S0113) is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008. (Citation: ESET Operation Groundbait)",
|
|
"meta": {
|
|
"external_id": "S0113",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf",
|
|
"https://attack.mitre.org/software/S0113"
|
|
],
|
|
"synonyms": [
|
|
"Prikormka"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "67ade442-63f2-4319-bdcd-d2564b963ed6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "67ade442-63f2-4319-bdcd-d2564b963ed6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
|
|
"value": "Prikormka - S0113"
|
|
},
|
|
{
|
|
"description": "[YiSpecter](https://attack.mitre.org/software/S0311) is a family of iOS and Android malware, first detected in November 2014, targeting users in mainland China and Taiwan. [YiSpecter](https://attack.mitre.org/software/S0311) abuses private APIs in iOS to infect both jailbroken and non-jailbroken devices.(Citation: paloalto_yispecter_1015)",
|
|
"meta": {
|
|
"external_id": "S0311",
|
|
"mitre_platforms": [
|
|
"Android",
|
|
"iOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0311",
|
|
"https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"
|
|
],
|
|
"synonyms": [
|
|
"YiSpecter"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "670a4d75-103b-4b14-8a9e-4652fa795edd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d3bc5020-f6a2-41c0-8ccb-5e563101b60c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a15c9357-2be0-4836-beec-594f28b9b4a9",
|
|
"value": "YiSpecter - S0311"
|
|
},
|
|
{
|
|
"description": "[ZxxZ](https://attack.mitre.org/software/S1013) is a trojan written in Visual C++ that has been used by [BITTER](https://attack.mitre.org/groups/G1002) since at least August 2021, including against Bangladeshi government personnel.(Citation: Cisco Talos Bitter Bangladesh May 2022)",
|
|
"meta": {
|
|
"external_id": "S1013",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1013",
|
|
"https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "97cfbdc6-504d-41e9-a46c-78a9f806ff0d",
|
|
"value": "ZxxZ - S1013"
|
|
},
|
|
{
|
|
"description": "[BOOTRASH](https://attack.mitre.org/software/S0114) is a [Bootkit](https://attack.mitre.org/techniques/T1542/003) that targets Windows operating systems. It has been used by threat actors that target the financial sector.(Citation: Mandiant M Trends 2016)(Citation: FireEye Bootkits)(Citation: FireEye BOOTRASH SANS)",
|
|
"meta": {
|
|
"external_id": "S0114",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0114",
|
|
"https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html",
|
|
"https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf",
|
|
"https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498163766.pdf"
|
|
],
|
|
"synonyms": [
|
|
"BOOTRASH"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfebc3b7-d19d-450b-81c7-6dafe4184c04",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "da2ef4a9-7cbe-400a-a379-e2f230f28db3",
|
|
"value": "BOOTRASH - S0114"
|
|
},
|
|
{
|
|
"description": "[DanBot](https://attack.mitre.org/software/S1014) is a first-stage remote access Trojan written in C# that has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least 2018.(Citation: SecureWorks August 2019)",
|
|
"meta": {
|
|
"external_id": "S1014",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1014",
|
|
"https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign"
|
|
],
|
|
"synonyms": [
|
|
"DanBot"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01327cde-66c4-4123-bf34-5f258d59457b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b8d48deb-450c-44f6-a934-ac8765aa89cb",
|
|
"value": "DanBot - S1014"
|
|
},
|
|
{
|
|
"description": "[Chinoxy](https://attack.mitre.org/software/S1041) is a backdoor that has been used since at least November 2018, during the [FunnyDream](https://attack.mitre.org/campaigns/C0007) campaign, to gain persistence and drop additional payloads. According to security researchers, [Chinoxy](https://attack.mitre.org/software/S1041) has been used by Chinese-speaking threat actors.(Citation: Bitdefender FunnyDream Campaign November 2020)",
|
|
"meta": {
|
|
"external_id": "S1041",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1041",
|
|
"https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Chinoxy"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "0b639373-5f03-430e-b8f9-2fe8c8faad8e",
|
|
"value": "Chinoxy - S1041"
|
|
},
|
|
{
|
|
"description": "[Rotexy](https://attack.mitre.org/software/S0411) is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.(Citation: securelist rotexy 2018)",
|
|
"meta": {
|
|
"external_id": "S0411",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0411",
|
|
"https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"
|
|
],
|
|
"synonyms": [
|
|
"Rotexy"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "acf8fd2a-dc98-43b4-8d37-64e10728e591",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bb4387ab-7a51-468b-bf5f-a9a8612f0303",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fd211238-f767-4599-8c0d-9dca36624626",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "0626c181-93cb-4860-9cb0-dff3b1c13063",
|
|
"value": "Rotexy - S0411"
|
|
},
|
|
{
|
|
"description": "[HALFBAKED](https://attack.mitre.org/software/S0151) is a malware family consisting of multiple components intended to establish persistence in victim networks. (Citation: FireEye FIN7 April 2017)",
|
|
"meta": {
|
|
"external_id": "S0151",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0151",
|
|
"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2815a353-cd56-4ed0-8581-812b94f7a326",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2815a353-cd56-4ed0-8581-812b94f7a326",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "71ac10de-1103-40a7-b65b-f97dab9769bf",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f",
|
|
"value": "HALFBAKED - S0151"
|
|
},
|
|
{
|
|
"description": "[Crimson](https://attack.mitre.org/software/S0115) is a remote access Trojan that has been used by [Transparent Tribe](https://attack.mitre.org/groups/G0134) since at least 2016.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)",
|
|
"meta": {
|
|
"external_id": "S0115",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0115",
|
|
"https://securelist.com/transparent-tribe-part-1/98127/",
|
|
"https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Crimson",
|
|
"MSIL/Crimson"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "858edfb8-793a-430b-8acc-4310e7d2f0d3",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "8d8efbc6-d1b7-4ec8-bab3-591edba337d0",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a61fc694-a88a-484d-a648-db35b49932fd",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8d8efbc6-d1b7-4ec8-bab3-591edba337d0",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "858edfb8-793a-430b-8acc-4310e7d2f0d3",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "a61fc694-a88a-484d-a648-db35b49932fd",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2",
|
|
"value": "Crimson - S0115"
|
|
},
|
|
{
|
|
"description": "[RegDuke](https://attack.mitre.org/software/S0511) is a first stage implant written in .NET and used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2017. [RegDuke](https://attack.mitre.org/software/S0511) has been used to control a compromised machine when control of other implants on the machine was lost.(Citation: ESET Dukes October 2019)",
|
|
"meta": {
|
|
"external_id": "S0511",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0511",
|
|
"https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf"
|
|
],
|
|
"synonyms": [
|
|
"RegDuke"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "47124daf-44be-4530-9c63-038bc64318dd",
|
|
"value": "RegDuke - S0511"
|
|
},
|
|
{
|
|
"description": "[KEYPLUG](https://attack.mitre.org/software/S1051) is a modular backdoor written in C++, with Windows and Linux variants, that has been used by [APT41](https://attack.mitre.org/groups/G0096) since at least June 2021.(Citation: Mandiant APT41)",
|
|
"meta": {
|
|
"external_id": "S1051",
|
|
"mitre_platforms": [
|
|
"Linux",
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1051",
|
|
"https://www.mandiant.com/resources/apt41-us-state-governments"
|
|
],
|
|
"synonyms": [
|
|
"KEYPLUG",
|
|
"KEYPLUG.LINUX"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "6c575670-d14c-4c7f-9b9d-fd1b363e255d",
|
|
"value": "KEYPLUG - S1051"
|
|
},
|
|
{
|
|
"description": "[Milan](https://attack.mitre.org/software/S1015) is a backdoor implant based on [DanBot](https://attack.mitre.org/software/S1014) that was written in Visual C++ and .NET. [Milan](https://attack.mitre.org/software/S1015) has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least June 2020.(Citation: ClearSky Siamesekitten August 2021)(Citation: Kaspersky Lyceum October 2021)",
|
|
"meta": {
|
|
"external_id": "S1015",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1015",
|
|
"https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf",
|
|
"https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns",
|
|
"https://www.clearskysec.com/siamesekitten/"
|
|
],
|
|
"synonyms": [
|
|
"Milan",
|
|
"James"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "aea6d6b8-d832-4c90-a1bb-f52c6684db6c",
|
|
"value": "Milan - S1015"
|
|
},
|
|
{
|
|
"description": "[AbstractEmu](https://attack.mitre.org/software/S1061) is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. [AbstractEmu](https://attack.mitre.org/software/S1061) was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.(Citation: lookout_abstractemu_1021)",
|
|
"meta": {
|
|
"external_id": "S1061",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1061",
|
|
"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"
|
|
],
|
|
"synonyms": [
|
|
"AbstractEmu"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "27d18e87-8f32-4be1-b456-39b90454360f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "2aec175b-4429-4048-8e09-3ef6cbecfc64",
|
|
"value": "AbstractEmu - S1061"
|
|
},
|
|
{
|
|
"description": "[XAgentOSX](https://attack.mitre.org/software/S0161) is a trojan that has been used by [APT28](https://attack.mitre.org/groups/G0007) on OS X and appears to be a port of their standard [CHOPSTICK](https://attack.mitre.org/software/S0023) or XAgent trojan. (Citation: XAgentOSX 2017)",
|
|
"meta": {
|
|
"external_id": "S0161",
|
|
"mitre_platforms": [
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0161",
|
|
"https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/",
|
|
"https://www.symantec.com/blogs/election-security/apt28-espionage-military-government"
|
|
],
|
|
"synonyms": [
|
|
"XAgentOSX",
|
|
"OSX.Sofacy"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5930509b-7793-4db9-bdfc-4edda7709d0d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069",
|
|
"value": "XAgentOSX - S0161"
|
|
},
|
|
{
|
|
"description": "[Clop](https://attack.mitre.org/software/S0611) is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. [Clop](https://attack.mitre.org/software/S0611) is a variant of the CryptoMix ransomware.(Citation: Mcafee Clop Aug 2019)(Citation: Cybereason Clop Dec 2020)(Citation: Unit42 Clop April 2021) ",
|
|
"meta": {
|
|
"external_id": "S0611",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0611",
|
|
"https://unit42.paloaltonetworks.com/clop-ransomware/",
|
|
"https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware",
|
|
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/"
|
|
],
|
|
"synonyms": [
|
|
"Clop"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "cad3ba95-8c89-4146-ab10-08daa813f9de",
|
|
"value": "Clop - S0611"
|
|
},
|
|
{
|
|
"description": "[MacMa](https://attack.mitre.org/software/S1016) is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. [MacMa](https://attack.mitre.org/software/S1016) has been observed in the wild since November 2021.(Citation: ESET DazzleSpy Jan 2022)",
|
|
"meta": {
|
|
"external_id": "S1016",
|
|
"mitre_platforms": [
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1016",
|
|
"https://objective-see.org/blog/blog_0x69.html",
|
|
"https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/"
|
|
],
|
|
"synonyms": [
|
|
"MacMa",
|
|
"OSX.CDDS",
|
|
"DazzleSpy"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1eaebf46-e361-4437-bc23-d5d65a3b92e3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "bdee9574-7479-4073-a7dc-e86d8acd073a",
|
|
"value": "MacMa - S1016"
|
|
},
|
|
{
|
|
"description": "[Felismus](https://attack.mitre.org/software/S0171) is a modular backdoor that has been used by [Sowbug](https://attack.mitre.org/groups/G0054). (Citation: Symantec Sowbug Nov 2017) (Citation: Forcepoint Felismus Mar 2017)",
|
|
"meta": {
|
|
"external_id": "S0171",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0171",
|
|
"https://blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware",
|
|
"https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments"
|
|
],
|
|
"synonyms": [
|
|
"Felismus"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "07a41ea7-17b2-4852-bfd7-54211c477dc0",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "07a41ea7-17b2-4852-bfd7-54211c477dc0",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1",
|
|
"value": "Felismus - S0171"
|
|
},
|
|
{
|
|
"description": "[OutSteel](https://attack.mitre.org/software/S1017) is a file uploader and document stealer developed with the scripting language AutoIT that has been used by [Ember Bear](https://attack.mitre.org/groups/G1003) since at least March 2021.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )",
|
|
"meta": {
|
|
"external_id": "S1017",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1017",
|
|
"https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c113230f-f044-423b-af63-9b63c802f5ae",
|
|
"value": "OutSteel - S1017"
|
|
},
|
|
{
|
|
"description": "[XTunnel](https://attack.mitre.org/software/S0117) a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by [APT28](https://attack.mitre.org/groups/G0007) during the compromise of the Democratic National Committee. (Citation: Crowdstrike DNC June 2016) (Citation: Invincea XTunnel) (Citation: ESET Sednit Part 2)",
|
|
"meta": {
|
|
"external_id": "S0117",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf",
|
|
"https://attack.mitre.org/software/S0117",
|
|
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
|
|
"https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/",
|
|
"https://www.symantec.com/blogs/election-security/apt28-espionage-military-government"
|
|
],
|
|
"synonyms": [
|
|
"XTunnel",
|
|
"Trojan.Shunnael",
|
|
"X-Tunnel",
|
|
"XAPS"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "53089817-6d65-4802-a7d2-5ccc3d919b74",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6d180bd7-3c77-4faf-b98b-dc2ab5f49101",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6d180bd7-3c77-4faf-b98b-dc2ab5f49101",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "53089817-6d65-4802-a7d2-5ccc3d919b74",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab",
|
|
"value": "XTunnel - S0117"
|
|
},
|
|
{
|
|
"description": "[BADHATCH](https://attack.mitre.org/software/S1081) is a backdoor that has been utilized by [FIN8](https://attack.mitre.org/groups/G0061) since at least 2019. [BADHATCH](https://attack.mitre.org/software/S1081) has been used to target the insurance, retail, technology, and chemical industries in the United States, Canada, South Africa, Panama, and Italy.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021)",
|
|
"meta": {
|
|
"external_id": "S1081",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1081",
|
|
"https://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/",
|
|
"https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf"
|
|
],
|
|
"synonyms": [
|
|
"BADHATCH"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "3553b49d-d4ae-4fb6-ab17-0adbc520c888",
|
|
"value": "BADHATCH - S1081"
|
|
},
|
|
{
|
|
"description": "[FALLCHILL](https://attack.mitre.org/software/S0181) is a RAT that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other [Lazarus Group](https://attack.mitre.org/groups/G0032) malware or delivered when a victim unknowingly visits a compromised website. (Citation: US-CERT FALLCHILL Nov 2017)",
|
|
"meta": {
|
|
"external_id": "S0181",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0181",
|
|
"https://www.us-cert.gov/ncas/alerts/TA17-318A"
|
|
],
|
|
"synonyms": [
|
|
"FALLCHILL"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0a52e73b-d7e9-45ae-9bda-46568f753931",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0bea149-2def-484f-b658-f782a4f94815",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "e0bea149-2def-484f-b658-f782a4f94815",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "0a52e73b-d7e9-45ae-9bda-46568f753931",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e",
|
|
"value": "FALLCHILL - S0181"
|
|
},
|
|
{
|
|
"description": "[Nidiran](https://attack.mitre.org/software/S0118) is a custom backdoor developed and used by [Suckfly](https://attack.mitre.org/groups/G0039). It has been delivered via strategic web compromise. (Citation: Symantec Suckfly March 2016)",
|
|
"meta": {
|
|
"external_id": "S0118",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates",
|
|
"https://attack.mitre.org/software/S0118"
|
|
],
|
|
"synonyms": [
|
|
"Nidiran",
|
|
"Backdoor.Nidiran"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe",
|
|
"value": "Nidiran - S0118"
|
|
},
|
|
{
|
|
"description": "[Shark](https://attack.mitre.org/software/S1019) is a backdoor malware written in C# and .NET that is an updated version of [Milan](https://attack.mitre.org/software/S1015); it has been used by [HEXANE](https://attack.mitre.org/groups/G1001) since at least July 2021.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)",
|
|
"meta": {
|
|
"external_id": "S1019",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1019",
|
|
"https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns",
|
|
"https://www.clearskysec.com/siamesekitten/"
|
|
],
|
|
"synonyms": [
|
|
"Shark"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "99854cc8-f202-4e03-aa0a-4f8a4af93229",
|
|
"value": "Shark - S1019"
|
|
},
|
|
{
|
|
"description": "[Concipit1248](https://attack.mitre.org/software/S0426) is iOS spyware that was discovered using the same name as the developer of the Android spyware [Corona Updates](https://attack.mitre.org/software/S0425). Further investigation revealed that the two pieces of software contained the same C2 URL and similar functionality.(Citation: TrendMicro Coronavirus Updates)",
|
|
"meta": {
|
|
"external_id": "S0426",
|
|
"mitre_platforms": [
|
|
"iOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0426",
|
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"
|
|
],
|
|
"synonyms": [
|
|
"Concipit1248",
|
|
"Corona Updates"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "89c3dbf6-f281-41b7-be1d-a0e641014853",
|
|
"value": "Concipit1248 - S0426"
|
|
},
|
|
{
|
|
"description": "[Industroyer2](https://attack.mitre.org/software/S1072) is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in [Industroyer](https://attack.mitre.org/software/S0604). Security researchers assess that [Industroyer2](https://attack.mitre.org/software/S1072) was designed to cause impact to high-voltage electrical substations. The initial [Industroyer2](https://attack.mitre.org/software/S1072) sample was compiled on 03/23/2022 and scheduled to execute on 04/08/2022, however it was discovered before deploying, resulting in no impact.(Citation: Industroyer2 Blackhat ESET)",
|
|
"meta": {
|
|
"external_id": "S1072",
|
|
"mitre_platforms": [
|
|
"Field Controller/RTU/PLC/IED",
|
|
"Engineering Workstation"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1072",
|
|
"https://www.youtube.com/watch?v=xC9iM5wVedQ"
|
|
],
|
|
"synonyms": [
|
|
"Industroyer2"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5",
|
|
"value": "Industroyer2 - S1072"
|
|
},
|
|
{
|
|
"description": "[CORALDECK](https://attack.mitre.org/software/S0212) is an exfiltration tool used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)",
|
|
"meta": {
|
|
"external_id": "S0212",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0212",
|
|
"https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
|
|
],
|
|
"synonyms": [
|
|
"CORALDECK"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "becf81e5-f989-4093-a67d-d55a0483885f",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "becf81e5-f989-4093-a67d-d55a0483885f",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8ab98e25-1672-4b5f-a2fb-e60f08a5ea9e",
|
|
"value": "CORALDECK - S0212"
|
|
},
|
|
{
|
|
"description": "[IceApple](https://attack.mitre.org/software/S1022) is a modular Internet Information Services (IIS) post-exploitation framework, that has been used since at least 2021 against the technology, academic, and government sectors.(Citation: CrowdStrike IceApple May 2022)",
|
|
"meta": {
|
|
"external_id": "S1022",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1022",
|
|
"https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework.pdf"
|
|
],
|
|
"synonyms": [
|
|
"IceApple"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "69e5226d-05dc-4f15-95d7-44f5ed78d06e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "dd889a55-fb2c-4ec7-8e9f-c399939a49e1",
|
|
"value": "IceApple - S1022"
|
|
},
|
|
{
|
|
"description": "A Linux rootkit that provides backdoor access and hides from defenders.",
|
|
"meta": {
|
|
"external_id": "S0221",
|
|
"mitre_platforms": [
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0221",
|
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/?_ga=2.180041126.367598458.1505420282-1759340220.1502477046"
|
|
],
|
|
"synonyms": [
|
|
"Umbreon"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2a18f5dd-40fc-444b-a7c6-85f94b3eee13",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "637000f7-4363-44e0-b795-9cfb7a3dc460",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2a18f5dd-40fc-444b-a7c6-85f94b3eee13",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "637000f7-4363-44e0-b795-9cfb7a3dc460",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "3d8e547d-9456-4f32-a895-dc86134e282f",
|
|
"value": "Umbreon - S0221"
|
|
},
|
|
{
|
|
"description": "[ccf32](https://attack.mitre.org/software/S1043) is data collection malware that has been used since at least February 2019, most notably during the [FunnyDream](https://attack.mitre.org/campaigns/C0007) campaign; there is also a similar x64 version.(Citation: Bitdefender FunnyDream Campaign November 2020)",
|
|
"meta": {
|
|
"external_id": "S1043",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1043",
|
|
"https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf"
|
|
],
|
|
"synonyms": [
|
|
"ccf32"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "359b00ad-9425-420b-bba5-6de8d600cbc0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a394448a-4576-41b8-81cc-9b61abad94ab",
|
|
"value": "ccf32 - S1043"
|
|
},
|
|
{
|
|
"description": "[DOGCALL](https://attack.mitre.org/software/S0213) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067) that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. (Citation: FireEye APT37 Feb 2018)",
|
|
"meta": {
|
|
"external_id": "S0213",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0213",
|
|
"https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
|
|
],
|
|
"synonyms": [
|
|
"DOGCALL"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a5e851b4-e046-43b6-bc6e-c6c008e3c5aa",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a5e851b4-e046-43b6-bc6e-c6c008e3c5aa",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "0852567d-7958-4f4b-8947-4f840ec8d57d",
|
|
"value": "DOGCALL - S0213"
|
|
},
|
|
{
|
|
"description": "[PyDCrypt](https://attack.mitre.org/software/S1032) is malware written in Python designed to deliver [DCSrv](https://attack.mitre.org/software/S1033). It has been used by [Moses Staff](https://attack.mitre.org/groups/G1009) since at least September 2021, with each sample tailored for its intended victim organization.(Citation: Checkpoint MosesStaff Nov 2021)",
|
|
"meta": {
|
|
"external_id": "S1032",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1032",
|
|
"https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/"
|
|
],
|
|
"synonyms": [
|
|
"PyDCrypt"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "2ac41e8b-4865-4ced-839d-78e7852c47f3",
|
|
"value": "PyDCrypt - S1032"
|
|
},
|
|
{
|
|
"description": "[CreepyDrive](https://attack.mitre.org/software/S1023) is a custom implant has been used by [POLONIUM](https://attack.mitre.org/groups/G1005) since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.(Citation: Microsoft POLONIUM June 2022)\n\n[POLONIUM](https://attack.mitre.org/groups/G1005) has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.(Citation: Microsoft POLONIUM June 2022)",
|
|
"meta": {
|
|
"external_id": "S1023",
|
|
"mitre_platforms": [
|
|
"Windows",
|
|
"Office 365"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1023",
|
|
"https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/"
|
|
],
|
|
"synonyms": [
|
|
"CreepyDrive"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "750eb92a-7fdf-451e-9592-1d42357018f1",
|
|
"value": "CreepyDrive - S1023"
|
|
},
|
|
{
|
|
"description": "[HummingWhale](https://attack.mitre.org/software/S0321) is an Android malware family that performs ad fraud. (Citation: ArsTechnica-HummingWhale)",
|
|
"meta": {
|
|
"external_id": "S0321",
|
|
"refs": [
|
|
"http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/",
|
|
"https://attack.mitre.org/software/S0321"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "6447e3a1-ef4d-44b1-99d5-6b1c4888674f",
|
|
"value": "HummingWhale - S0321"
|
|
},
|
|
{
|
|
"description": "[WireLurker](https://attack.mitre.org/software/S0312) is a family of macOS malware that targets iOS devices connected over USB. (Citation: PaloAlto-WireLurker)",
|
|
"meta": {
|
|
"external_id": "S0312",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0312",
|
|
"https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/",
|
|
"https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb",
|
|
"value": "WireLurker - S0312"
|
|
},
|
|
{
|
|
"description": "[RATANKBA](https://attack.mitre.org/software/S0241) is a remote controller tool used by [Lazarus Group](https://attack.mitre.org/groups/G0032). [RATANKBA](https://attack.mitre.org/software/S0241) has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. [RATANKBA](https://attack.mitre.org/software/S0241) has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. (Citation: Lazarus RATANKBA) (Citation: RATANKBA)",
|
|
"meta": {
|
|
"external_id": "S0241",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0241",
|
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/",
|
|
"https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html"
|
|
],
|
|
"synonyms": [
|
|
"RATANKBA"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "9b325b06-35a1-457d-be46-a4ecc0b7ff0c",
|
|
"value": "RATANKBA - S0241"
|
|
},
|
|
{
|
|
"description": "[SUGARDUMP](https://attack.mitre.org/software/S1042) is a proprietary browser credential harvesting tool that was used by UNC3890 during the [C0010](https://attack.mitre.org/campaigns/C0010) campaign. The first known [SUGARDUMP](https://attack.mitre.org/software/S1042) version was used since at least early 2021, a second SMTP C2 version was used from late 2021-early 2022, and a third HTTP C2 variant was used since at least April 2022.(Citation: Mandiant UNC3890 Aug 2022)",
|
|
"meta": {
|
|
"external_id": "S1042",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1042",
|
|
"https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping"
|
|
],
|
|
"synonyms": [
|
|
"SUGARDUMP"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "9c10cede-c0bb-4c5c-91c0-8baec30abaf6",
|
|
"value": "SUGARDUMP - S1042"
|
|
},
|
|
{
|
|
"description": "[HAPPYWORK](https://attack.mitre.org/software/S0214) is a downloader used by [APT37](https://attack.mitre.org/groups/G0067) to target South Korean government and financial victims in November 2016. (Citation: FireEye APT37 Feb 2018)",
|
|
"meta": {
|
|
"external_id": "S0214",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0214",
|
|
"https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "656cd201-d57a-4a2f-a201-531eb4922a72",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "656cd201-d57a-4a2f-a201-531eb4922a72",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "211cfe9f-2676-4e1c-a5f5-2c8091da2a68",
|
|
"value": "HAPPYWORK - S0214"
|
|
},
|
|
{
|
|
"description": "[CreepySnail](https://attack.mitre.org/software/S1024) is a custom PowerShell implant that has been used by [POLONIUM](https://attack.mitre.org/groups/G1005) since at least 2022.(Citation: Microsoft POLONIUM June 2022)",
|
|
"meta": {
|
|
"external_id": "S1024",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1024",
|
|
"https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/"
|
|
],
|
|
"synonyms": [
|
|
"CreepySnail"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "d23de441-f9cf-4802-b1ff-f588a11a896b",
|
|
"value": "CreepySnail - S1024"
|
|
},
|
|
{
|
|
"description": "[StreamEx](https://attack.mitre.org/software/S0142) is a malware family that has been used by [Deep Panda](https://attack.mitre.org/groups/G0009) since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. (Citation: Cylance Shell Crew Feb 2017)",
|
|
"meta": {
|
|
"external_id": "S0142",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0142",
|
|
"https://www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar"
|
|
],
|
|
"synonyms": [
|
|
"StreamEx"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9991ace8-1a62-498c-a9ef-19d474deb505",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9991ace8-1a62-498c-a9ef-19d474deb505",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86",
|
|
"value": "StreamEx - S0142"
|
|
},
|
|
{
|
|
"description": "[GolfSpy](https://attack.mitre.org/software/S0421) is Android spyware deployed by the group [Bouncing Golf](https://attack.mitre.org/groups/G0097).(Citation: Trend Micro Bouncing Golf 2019)",
|
|
"meta": {
|
|
"external_id": "S0421",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0421",
|
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"
|
|
],
|
|
"synonyms": [
|
|
"GolfSpy"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
|
|
"value": "GolfSpy - S0421"
|
|
},
|
|
{
|
|
"description": "[Pisloader](https://attack.mitre.org/software/S0124) is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by [APT18](https://attack.mitre.org/groups/G0026) and is similar to another malware family, [HTTPBrowser](https://attack.mitre.org/software/S0070), that has been used by the group. (Citation: Palo Alto DNS Requests)",
|
|
"meta": {
|
|
"external_id": "S0124",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/",
|
|
"https://attack.mitre.org/software/S0124"
|
|
],
|
|
"synonyms": [
|
|
"Pisloader"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236",
|
|
"value": "Pisloader - S0124"
|
|
},
|
|
{
|
|
"description": "[ZxShell](https://attack.mitre.org/software/S0412) is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014)",
|
|
"meta": {
|
|
"external_id": "S0412",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0412",
|
|
"https://blogs.cisco.com/security/talos/opening-zxshell",
|
|
"https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf"
|
|
],
|
|
"synonyms": [
|
|
"ZxShell",
|
|
"Sensocode"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01327cde-66c4-4123-bf34-5f258d59457b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "635cbe30-392d-4e27-978e-66774357c762",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c675646d-e204-4aa8-978d-e3d6d65885c4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "cfc75b0d-e579-40ae-ad07-a1ce00d49a6c",
|
|
"value": "ZxShell - S0412"
|
|
},
|
|
{
|
|
"description": "[KARAE](https://attack.mitre.org/software/S0215) is a backdoor typically used by [APT37](https://attack.mitre.org/groups/G0067) as first-stage malware. (Citation: FireEye APT37 Feb 2018)",
|
|
"meta": {
|
|
"external_id": "S0215",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0215",
|
|
"https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
|
|
],
|
|
"synonyms": [
|
|
"KARAE"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "70ca8408-bc45-4d39-acd2-9190ba15ea97",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "70ca8408-bc45-4d39-acd2-9190ba15ea97",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "3c02fb1f-cbdb-48f5-abaf-8c81d6e0c322",
|
|
"value": "KARAE - S0215"
|
|
},
|
|
{
|
|
"description": "[DEADEYE](https://attack.mitre.org/software/S1052) is a malware launcher that has been used by [APT41](https://attack.mitre.org/groups/G0096) since at least May 2021. [DEADEYE](https://attack.mitre.org/software/S1052) has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).(Citation: Mandiant APT41)",
|
|
"meta": {
|
|
"external_id": "S1052",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1052",
|
|
"https://www.mandiant.com/resources/apt41-us-state-governments"
|
|
],
|
|
"synonyms": [
|
|
"DEADEYE",
|
|
"DEADEYE.EMBED",
|
|
"DEADEYE.APPEND"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c46eb8e6-bf29-4696-8008-3ddb0b4ca470",
|
|
"value": "DEADEYE - S1052"
|
|
},
|
|
{
|
|
"description": "[Amadey](https://attack.mitre.org/software/S1025) is a Trojan bot that has been used since at least October 2018.(Citation: Korean FSI TA505 2020)(Citation: BlackBerry Amadey 2020)",
|
|
"meta": {
|
|
"external_id": "S1025",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1025",
|
|
"https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot",
|
|
"https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory="
|
|
],
|
|
"synonyms": [
|
|
"Amadey"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29ba5a15-3b7b-4732-b817-65ea8f6468e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "05318127-5962-444b-b900-a9dcfe0ff6e9",
|
|
"value": "Amadey - S1025"
|
|
},
|
|
{
|
|
"description": "[FatDuke](https://attack.mitre.org/software/S0512) is a backdoor used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2016.(Citation: ESET Dukes October 2019)",
|
|
"meta": {
|
|
"external_id": "S0512",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0512",
|
|
"https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf"
|
|
],
|
|
"synonyms": [
|
|
"FatDuke"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "54a01db0-9fab-4d5f-8209-53cef8425f4a",
|
|
"value": "FatDuke - S0512"
|
|
},
|
|
{
|
|
"description": "[EvilGrab](https://attack.mitre.org/software/S0152) is a malware family with common reconnaissance capabilities. It has been deployed by [menuPass](https://attack.mitre.org/groups/G0045) via malicious Microsoft Office documents as part of spearphishing campaigns. (Citation: PWC Cloud Hopper Technical Annex April 2017)",
|
|
"meta": {
|
|
"external_id": "S0152",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0152",
|
|
"https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf"
|
|
],
|
|
"synonyms": [
|
|
"EvilGrab"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "438c6d0f-03f0-4b49-89d2-40bf5349c3fc",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c9b4ec27-0a43-4671-a967-bcac5df0e056",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "c9b4ec27-0a43-4671-a967-bcac5df0e056",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "c542f369-f06d-4168-8c84-fdf5fc7f2a8d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "438c6d0f-03f0-4b49-89d2-40bf5349c3fc",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78",
|
|
"value": "EvilGrab - S0152"
|
|
},
|
|
{
|
|
"description": "[Remsec](https://attack.mitre.org/software/S0125) is a modular backdoor that has been used by [Strider](https://attack.mitre.org/groups/G0041) and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua. (Citation: Symantec Strider Blog)",
|
|
"meta": {
|
|
"external_id": "S0125",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets",
|
|
"https://attack.mitre.org/software/S0125",
|
|
"https://securelist.com/faq-the-projectsauron-apt/75533/"
|
|
],
|
|
"synonyms": [
|
|
"Remsec",
|
|
"Backdoor.Remsec",
|
|
"ProjectSauron"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "215d9700-5881-48b8-8265-6449dbb7195d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6a3c3fbc-97ec-4938-b64e-2679e4b73db9",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6a3c3fbc-97ec-4938-b64e-2679e4b73db9",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
|
|
"value": "Remsec - S0125"
|
|
},
|
|
{
|
|
"description": "[Zebrocy](https://attack.mitre.org/software/S0251) is a Trojan that has been used by [APT28](https://attack.mitre.org/groups/G0007) since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, VB.NET, and Golang. (Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: CISA Zebrocy Oct 2020) ",
|
|
"meta": {
|
|
"external_id": "S0251",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0251",
|
|
"https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/",
|
|
"https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/",
|
|
"https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/",
|
|
"https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b",
|
|
"https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50",
|
|
"https://www.cyberscoop.com/apt28-brexit-phishing-accenture/"
|
|
],
|
|
"synonyms": [
|
|
"Zebrocy",
|
|
"Zekapab"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a4f57468-fbd5-49e4-8476-52088220b92d",
|
|
"value": "Zebrocy - S0251"
|
|
},
|
|
{
|
|
"description": "[ComRAT](https://attack.mitre.org/software/S0126) is a second stage implant suspected of being a descendant of [Agent.btz](https://attack.mitre.org/software/S0092) and used by [Turla](https://attack.mitre.org/groups/G0010). The first version of [ComRAT](https://attack.mitre.org/software/S0126) was identified in 2007, but the tool has undergone substantial development for many years since.(Citation: Symantec Waterbug)(Citation: NorthSec 2015 GData Uroburos Tools)(Citation: ESET ComRAT May 2020)",
|
|
"meta": {
|
|
"external_id": "S0126",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0126",
|
|
"https://docplayer.net/101655589-Tools-used-by-the-uroburos-actors.html",
|
|
"https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1",
|
|
"https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf"
|
|
],
|
|
"synonyms": [
|
|
"ComRAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9223bf17-7e32-4833-9574-9ffd8c929765",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "da079741-05e6-458c-b434-011263dc691c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfebc3b7-d19d-450b-81c7-6dafe4184c04",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9223bf17-7e32-4833-9574-9ffd8c929765",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "da079741-05e6-458c-b434-011263dc691c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565",
|
|
"value": "ComRAT - S0126"
|
|
},
|
|
{
|
|
"description": "[POORAIM](https://attack.mitre.org/software/S0216) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067) in campaigns since at least 2014. (Citation: FireEye APT37 Feb 2018)",
|
|
"meta": {
|
|
"external_id": "S0216",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0216",
|
|
"https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
|
|
],
|
|
"synonyms": [
|
|
"POORAIM"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fe97ace3-9a80-42af-9eae-1f9245927e5d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "fe97ace3-9a80-42af-9eae-1f9245927e5d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "53d47b09-09c2-4015-8d37-6633ecd53f79",
|
|
"value": "POORAIM - S0216"
|
|
},
|
|
{
|
|
"description": "[Catchamas](https://attack.mitre.org/software/S0261) is a Windows Trojan that steals information from compromised systems. (Citation: Symantec Catchamas April 2018)",
|
|
"meta": {
|
|
"external_id": "S0261",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0261",
|
|
"https://www-west.symantec.com/content/symantec/english/en/security-center/writeup.html/2018-040209-1742-99"
|
|
],
|
|
"synonyms": [
|
|
"Catchamas"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8d9e758b-735f-4cbc-ba7c-32cd15138b2a",
|
|
"value": "Catchamas - S0261"
|
|
},
|
|
{
|
|
"description": "[Komplex](https://attack.mitre.org/software/S0162) is a backdoor that has been used by [APT28](https://attack.mitre.org/groups/G0007) on OS X and appears to be developed in a similar manner to [XAgentOSX](https://attack.mitre.org/software/S0161) (Citation: XAgentOSX 2017) (Citation: Sofacy Komplex Trojan).",
|
|
"meta": {
|
|
"external_id": "S0162",
|
|
"mitre_platforms": [
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0162",
|
|
"https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/",
|
|
"https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/"
|
|
],
|
|
"synonyms": [
|
|
"Komplex"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "75c79f95-4c84-4650-9158-510f0ce4831d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f108215f-3487-489d-be8b-80e346d32518",
|
|
"value": "Komplex - S0162"
|
|
},
|
|
{
|
|
"description": "[WastedLocker](https://attack.mitre.org/software/S0612) is a ransomware family attributed to [Indrik Spider](https://attack.mitre.org/groups/G0119) that has been used since at least May 2020. [WastedLocker](https://attack.mitre.org/software/S0612) has been used against a broad variety of sectors, including manufacturing, information technology, and media.(Citation: Symantec WastedLocker June 2020)(Citation: NCC Group WastedLocker June 2020)(Citation: Sentinel Labs WastedLocker July 2020) ",
|
|
"meta": {
|
|
"external_id": "S0612",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0612",
|
|
"https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/",
|
|
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us",
|
|
"https://www.sentinelone.com/labs/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/"
|
|
],
|
|
"synonyms": [
|
|
"WastedLocker"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "46cbafbc-8907-42d3-9002-5327c26f8927",
|
|
"value": "WastedLocker - S0612"
|
|
},
|
|
{
|
|
"description": "[Mongall](https://attack.mitre.org/software/S1026) is a backdoor that has been used since at least 2013, including by [Aoqin Dragon](https://attack.mitre.org/groups/G1007).(Citation: SentinelOne Aoqin Dragon June 2022)",
|
|
"meta": {
|
|
"external_id": "S1026",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1026",
|
|
"https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/"
|
|
],
|
|
"synonyms": [
|
|
"Mongall"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "6fb36c6f-bb3d-4ed6-9471-cb9933e5c154",
|
|
"value": "Mongall - S1026"
|
|
},
|
|
{
|
|
"description": "[BBSRAT](https://attack.mitre.org/software/S0127) is malware with remote access tool functionality that has been used in targeted compromises. (Citation: Palo Alto Networks BBSRAT)",
|
|
"meta": {
|
|
"external_id": "S0127",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/",
|
|
"https://attack.mitre.org/software/S0127"
|
|
],
|
|
"synonyms": [
|
|
"BBSRAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cad1d6db-3a6c-4d67-8f6e-627d8a168d6a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cad1d6db-3a6c-4d67-8f6e-627d8a168d6a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80",
|
|
"value": "BBSRAT - S0127"
|
|
},
|
|
{
|
|
"description": "[KEYMARBLE](https://attack.mitre.org/software/S0271) is a Trojan that has reportedly been used by the North Korean government. (Citation: US-CERT KEYMARBLE Aug 2018)",
|
|
"meta": {
|
|
"external_id": "S0271",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0271",
|
|
"https://www.us-cert.gov/ncas/analysis-reports/AR18-221A"
|
|
],
|
|
"synonyms": [
|
|
"KEYMARBLE"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "11e36d5b-6a92-4bf9-8eb7-85eb24f59e22",
|
|
"value": "KEYMARBLE - S0271"
|
|
},
|
|
{
|
|
"description": "[SHUTTERSPEED](https://attack.mitre.org/software/S0217) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)",
|
|
"meta": {
|
|
"external_id": "S0217",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0217",
|
|
"https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d909efe3-abc3-4be0-9640-e4727542fa2b",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d909efe3-abc3-4be0-9640-e4727542fa2b",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4189a679-72ed-4a89-a57c-7f689712ecf8",
|
|
"value": "SHUTTERSPEED - S0217"
|
|
},
|
|
{
|
|
"description": "[Reaver](https://attack.mitre.org/software/S0172) is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the \"Five Poisons,\" which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of [Control Panel](https://attack.mitre.org/techniques/T1218/002) items.(Citation: Palo Alto Reaver Nov 2017)",
|
|
"meta": {
|
|
"external_id": "S0172",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0172",
|
|
"https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/"
|
|
],
|
|
"synonyms": [
|
|
"Reaver"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "826c31ca-2617-47e4-b236-205da3881182",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "826c31ca-2617-47e4-b236-205da3881182",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29",
|
|
"value": "Reaver - S0172"
|
|
},
|
|
{
|
|
"description": "[BADNEWS](https://attack.mitre.org/software/S0128) is malware that has been used by the actors responsible for the [Patchwork](https://attack.mitre.org/groups/G0040) campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. (Citation: Forcepoint Monsoon) (Citation: TrendMicro Patchwork Dec 2017)",
|
|
"meta": {
|
|
"external_id": "S0128",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0128",
|
|
"https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf",
|
|
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
|
|
],
|
|
"synonyms": [
|
|
"BADNEWS"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e9595678-d269-469e-ae6b-75e49259de63",
|
|
"value": "BADNEWS - S0128"
|
|
},
|
|
{
|
|
"description": "[SLOWDRIFT](https://attack.mitre.org/software/S0218) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067) against academic and strategic victims in South Korea. (Citation: FireEye APT37 Feb 2018)",
|
|
"meta": {
|
|
"external_id": "S0218",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0218",
|
|
"https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
|
|
],
|
|
"synonyms": [
|
|
"SLOWDRIFT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e5a9a2ec-348e-4a2f-98dd-16c3e8845576",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e5a9a2ec-348e-4a2f-98dd-16c3e8845576",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "414dc555-c79e-4b24-a2da-9b607f7eaf16",
|
|
"value": "SLOWDRIFT - S0218"
|
|
},
|
|
{
|
|
"description": "[Dok](https://attack.mitre.org/software/S0281) is a Trojan application disguised as a .zip file that is able to collect user credentials and install a malicious proxy server to redirect a user's network traffic (i.e. [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)).(Citation: objsee mac malware 2017)(Citation: hexed osx.dok analysis 2019)(Citation: CheckPoint Dok)",
|
|
"meta": {
|
|
"external_id": "S0281",
|
|
"mitre_platforms": [
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"http://www.hexed.in/2019/07/osxdok-analysis.html",
|
|
"https://attack.mitre.org/software/S0281",
|
|
"https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/",
|
|
"https://objective-see.com/blog/blog_0x25.html"
|
|
],
|
|
"synonyms": [
|
|
"Dok",
|
|
"Retefe"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "84601337-6a55-4ad7-9c35-79e0d1ea2ab3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f36b2598-515f-4345-84e5-5ccde253edbe",
|
|
"value": "Dok - S0281"
|
|
},
|
|
{
|
|
"description": "[FinFisher](https://attack.mitre.org/software/S0182) is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including [Wingbird](https://attack.mitre.org/software/S0176). (Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017) (Citation: Microsoft FinFisher March 2018)",
|
|
"meta": {
|
|
"external_id": "S0182",
|
|
"mitre_platforms": [
|
|
"Windows",
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf",
|
|
"http://www.finfisher.com/FinFisher/index.html",
|
|
"https://attack.mitre.org/software/S0182",
|
|
"https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/",
|
|
"https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/",
|
|
"https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html"
|
|
],
|
|
"synonyms": [
|
|
"FinFisher",
|
|
"FinSpy"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "541b64bc-87ec-4cc2-aaee-329355987853",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a4657bc9-d22f-47d2-a7b7-dd6ec33f3dde",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "541b64bc-87ec-4cc2-aaee-329355987853",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "46944654-fcc1-4f63-9dad-628102376586",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858",
|
|
"value": "FinFisher - S0182"
|
|
},
|
|
{
|
|
"description": "[Sunbird](https://attack.mitre.org/software/S1082) is one of two mobile malware families known to be used by the APT [Confucius](https://attack.mitre.org/groups/G0142). Analysis suggests that [Sunbird](https://attack.mitre.org/software/S1082) was first active in early 2017. While [Sunbird](https://attack.mitre.org/software/S1082) and [Hornbill](https://attack.mitre.org/software/S1077) overlap in core capabilities, [Sunbird](https://attack.mitre.org/software/S1082) has a more extensive set of malicious features.(Citation: lookout_hornbill_sunbird_0221)",
|
|
"meta": {
|
|
"external_id": "S1082",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1082",
|
|
"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"
|
|
],
|
|
"synonyms": [
|
|
"Sunbird"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9fa0d30-a8ff-45bf-922e-7720da0b7922",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "feae299d-e34f-4fc9-8545-486d0905bd41",
|
|
"value": "Sunbird - S1082"
|
|
},
|
|
{
|
|
"description": "[WINERACK](https://attack.mitre.org/software/S0219) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)",
|
|
"meta": {
|
|
"external_id": "S0219",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0219",
|
|
"https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "49025073-4cd3-43b8-b893-e80a1d3adc04",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "49025073-4cd3-43b8-b893-e80a1d3adc04",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "49abab73-3c5c-476e-afd5-69b5c732d845",
|
|
"value": "WINERACK - S0219"
|
|
},
|
|
{
|
|
"description": "[PJApps](https://attack.mitre.org/software/S0291) is an Android malware family. (Citation: Lookout-EnterpriseApps)",
|
|
"meta": {
|
|
"external_id": "S0291",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0291",
|
|
"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c709da93-20c3-4d17-ab68-48cba76b2137",
|
|
"value": "PJApps - S0291"
|
|
},
|
|
{
|
|
"description": "[Escobar](https://attack.mitre.org/software/S1092) is an Android banking trojan, first detected in March 2021, believed to be a new variant of AbereBot.(Citation: Bleeipng Computer Escobar)",
|
|
"meta": {
|
|
"external_id": "S1092",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1092",
|
|
"https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"
|
|
],
|
|
"synonyms": [
|
|
"Escobar"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0b761f2b-197a-40f2-b100-8152cb957c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "ec13d292-6d8d-4c7a-b07c-a2bd2402569a",
|
|
"value": "Escobar - S1092"
|
|
},
|
|
{
|
|
"description": "[DCSrv](https://attack.mitre.org/software/S1033) is destructive malware that has been used by [Moses Staff](https://attack.mitre.org/groups/G1009) since at least September 2021. Though [DCSrv](https://attack.mitre.org/software/S1033) has ransomware-like capabilities, [Moses Staff](https://attack.mitre.org/groups/G1009) does not demand ransom or offer a decryption key.(Citation: Checkpoint MosesStaff Nov 2021)",
|
|
"meta": {
|
|
"external_id": "S1033",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1033",
|
|
"https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/"
|
|
],
|
|
"synonyms": [
|
|
"DCSrv"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5633ffd3-81ef-4f98-8f93-4896b03998f0",
|
|
"value": "DCSrv - S1033"
|
|
},
|
|
{
|
|
"description": "[RuMMS](https://attack.mitre.org/software/S0313) is an Android malware family. (Citation: FireEye-RuMMS)",
|
|
"meta": {
|
|
"external_id": "S0313",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0313",
|
|
"https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "936be60d-90eb-4c36-9247-4b31128432c4",
|
|
"value": "RuMMS - S0313"
|
|
},
|
|
{
|
|
"description": "[HotCroissant](https://attack.mitre.org/software/S0431) is a remote access trojan (RAT) attributed by U.S. government entities to malicious North Korean government cyber activity, tracked collectively as HIDDEN COBRA.(Citation: US-CERT HOTCROISSANT February 2020) [HotCroissant](https://attack.mitre.org/software/S0431) shares numerous code similarities with [Rifdoor](https://attack.mitre.org/software/S0433).(Citation: Carbon Black HotCroissant April 2020)",
|
|
"meta": {
|
|
"external_id": "S0431",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0431",
|
|
"https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/",
|
|
"https://www.us-cert.gov/ncas/analysis-reports/ar20-045d"
|
|
],
|
|
"synonyms": [
|
|
"HotCroissant"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "aad11e34-02ca-4220-91cd-2ed420af4db3",
|
|
"value": "HotCroissant - S0431"
|
|
},
|
|
{
|
|
"description": "[Downdelph](https://attack.mitre.org/software/S0134) is a first-stage downloader written in Delphi that has been used by [APT28](https://attack.mitre.org/groups/G0007) in rare instances between 2013 and 2015. (Citation: ESET Sednit Part 3)",
|
|
"meta": {
|
|
"external_id": "S0134",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf",
|
|
"https://attack.mitre.org/software/S0134"
|
|
],
|
|
"synonyms": [
|
|
"Downdelph",
|
|
"Delphacy"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "837a295c-15ff-41c0-9b7e-5f2fb502b00a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6a077cb-42cc-4193-9006-9ceda8c0dff2",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "837a295c-15ff-41c0-9b7e-5f2fb502b00a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "e6a077cb-42cc-4193-9006-9ceda8c0dff2",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519",
|
|
"value": "Downdelph - S0134"
|
|
},
|
|
{
|
|
"description": "[Flame](https://attack.mitre.org/software/S0143) is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. (Citation: Kaspersky Flame)",
|
|
"meta": {
|
|
"external_id": "S0143",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0143",
|
|
"https://securelist.com/the-flame-questions-and-answers-51/34344/",
|
|
"https://www.crysys.hu/publications/files/skywiper.pdf",
|
|
"https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache"
|
|
],
|
|
"synonyms": [
|
|
"Flame",
|
|
"Flamer",
|
|
"sKyWIper"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "613d08bc-e8f4-4791-80b0-c8b974340dfd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "635cbe30-392d-4e27-978e-66774357c762",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b8cfed42-6a8a-4989-ad72-541af74475ec",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d7963066-62ed-4494-9b8c-4b8b691a7c82",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "d7963066-62ed-4494-9b8c-4b8b691a7c82",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498",
|
|
"value": "Flame - S0143"
|
|
},
|
|
{
|
|
"description": "[StrifeWater](https://attack.mitre.org/software/S1034) is a remote-access tool that has been used by [Moses Staff](https://attack.mitre.org/groups/G1009) in the initial stages of their attacks since at least November 2021.(Citation: Cybereason StrifeWater Feb 2022)",
|
|
"meta": {
|
|
"external_id": "S1034",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1034",
|
|
"https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations"
|
|
],
|
|
"synonyms": [
|
|
"StrifeWater"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "fb78294a-7d7a-4d38-8ad0-92e67fddc9f0",
|
|
"value": "StrifeWater - S1034"
|
|
},
|
|
{
|
|
"description": "[Xbash](https://attack.mitre.org/software/S0341) is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. [Xbash](https://attack.mitre.org/software/S0341) was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.(Citation: Unit42 Xbash Sept 2018)",
|
|
"meta": {
|
|
"external_id": "S0341",
|
|
"mitre_platforms": [
|
|
"Windows",
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0341",
|
|
"https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/"
|
|
],
|
|
"synonyms": [
|
|
"Xbash"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "6a92d80f-cc65-45f6-aa66-3cdea6786b3c",
|
|
"value": "Xbash - S0341"
|
|
},
|
|
{
|
|
"description": "[Final1stspy](https://attack.mitre.org/software/S0355) is a dropper family that has been used to deliver [DOGCALL](https://attack.mitre.org/software/S0213).(Citation: Unit 42 Nokki Oct 2018)",
|
|
"meta": {
|
|
"external_id": "S0355",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0355",
|
|
"https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/"
|
|
],
|
|
"synonyms": [
|
|
"Final1stspy"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a2282af0-f9dd-4373-9b92-eaf9e11e0c71",
|
|
"value": "Final1stspy - S0355"
|
|
},
|
|
{
|
|
"description": "[AvosLocker](https://attack.mitre.org/software/S1053) is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, [AvosLocker](https://attack.mitre.org/software/S1053) had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.(Citation: Malwarebytes AvosLocker Jul 2021)(Citation: Trend Micro AvosLocker Apr 2022)(Citation: Joint CSA AvosLocker Mar 2022)",
|
|
"meta": {
|
|
"external_id": "S1053",
|
|
"mitre_platforms": [
|
|
"Linux",
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1053",
|
|
"https://www.ic3.gov/Media/News/2022/220318.pdf",
|
|
"https://www.malwarebytes.com/blog/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners",
|
|
"https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker"
|
|
],
|
|
"synonyms": [
|
|
"AvosLocker"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "28170e17-8384-415c-8486-2e6b294cb803",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ea4c2f9c-9df1-477c-8c42-6da1118f2ac4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "0945a1a5-a79a-47c8-9079-10c16cdfcb5d",
|
|
"value": "AvosLocker - S1053"
|
|
},
|
|
{
|
|
"description": "[Cannon](https://attack.mitre.org/software/S0351) is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. (Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)",
|
|
"meta": {
|
|
"external_id": "S0351",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0351",
|
|
"https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/",
|
|
"https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/"
|
|
],
|
|
"synonyms": [
|
|
"Cannon"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "d20b397a-ea47-48a9-b503-2e2a3551e11d",
|
|
"value": "Cannon - S0351"
|
|
},
|
|
{
|
|
"description": "[HIDEDRV](https://attack.mitre.org/software/S0135) is a rootkit used by [APT28](https://attack.mitre.org/groups/G0007). It has been deployed along with [Downdelph](https://attack.mitre.org/software/S0134) to execute and hide that malware. (Citation: ESET Sednit Part 3) (Citation: Sekoia HideDRV Oct 2016)",
|
|
"meta": {
|
|
"external_id": "S0135",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf",
|
|
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf",
|
|
"https://attack.mitre.org/software/S0135"
|
|
],
|
|
"synonyms": [
|
|
"HIDEDRV"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4",
|
|
"value": "HIDEDRV - S0135"
|
|
},
|
|
{
|
|
"description": "[LiteDuke](https://attack.mitre.org/software/S0513) is a third stage backdoor that was used by [APT29](https://attack.mitre.org/groups/G0016), primarily in 2014-2015. [LiteDuke](https://attack.mitre.org/software/S0513) used the same dropper as [PolyglotDuke](https://attack.mitre.org/software/S0518), and was found on machines also compromised by [MiniDuke](https://attack.mitre.org/software/S0051).(Citation: ESET Dukes October 2019)",
|
|
"meta": {
|
|
"external_id": "S0513",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0513",
|
|
"https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf"
|
|
],
|
|
"synonyms": [
|
|
"LiteDuke"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "95e2cbae-d82c-4f7b-b63c-16462015d35d",
|
|
"value": "LiteDuke - S0513"
|
|
},
|
|
{
|
|
"description": "[DualToy](https://attack.mitre.org/software/S0315) is Windows malware that installs malicious applications onto Android and iOS devices connected over USB. (Citation: PaloAlto-DualToy)",
|
|
"meta": {
|
|
"external_id": "S0315",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0315",
|
|
"https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8269e779-db23-4c94-aafb-36ee94879417",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8269e779-db23-4c94-aafb-36ee94879417",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "507fe748-5e4a-4b45-9e9f-8b1115f4e878",
|
|
"value": "DualToy - S0315"
|
|
},
|
|
{
|
|
"description": "[Grandoreiro](https://attack.mitre.org/software/S0531) is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. [Grandoreiro](https://attack.mitre.org/software/S0531) has confirmed victims in Brazil, Mexico, Portugal, and Spain.(Citation: Securelist Brazilian Banking Malware July 2020)(Citation: ESET Grandoreiro April 2020)",
|
|
"meta": {
|
|
"external_id": "S0531",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0531",
|
|
"https://securelist.com/the-tetrade-brazilian-banking-malware/97779/",
|
|
"https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/"
|
|
],
|
|
"synonyms": [
|
|
"Grandoreiro"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bc31b94-045b-4752-8920-aebaebdb6470",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "958b5d06-8bb0-4c5b-a2e7-0130fe654ac7",
|
|
"value": "Grandoreiro - S0531"
|
|
},
|
|
{
|
|
"description": "[RedLeaves](https://attack.mitre.org/software/S0153) is a malware family used by [menuPass](https://attack.mitre.org/groups/G0045). The code overlaps with [PlugX](https://attack.mitre.org/software/S0013) and may be based upon the open source tool Trochilus. (Citation: PWC Cloud Hopper Technical Annex April 2017) (Citation: FireEye APT10 April 2017)",
|
|
"meta": {
|
|
"external_id": "S0153",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0153",
|
|
"https://twitter.com/ItsReallyNick/status/850105140589633536",
|
|
"https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html",
|
|
"https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf"
|
|
],
|
|
"synonyms": [
|
|
"RedLeaves",
|
|
"BUGJUICE"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "90124cc8-1205-4e63-83ad-5c45a110b1e6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a70e93a7-3578-47e1-9926-0818979ed866",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "ad6a1b4a-6d79-40d4-adb7-1d7ca697347e",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ad6a1b4a-6d79-40d4-adb7-1d7ca697347e",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "90124cc8-1205-4e63-83ad-5c45a110b1e6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "3df08e23-1d0b-41ed-b735-c4eca46ce48e",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "a70e93a7-3578-47e1-9926-0818979ed866",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
|
|
"value": "RedLeaves - S0153"
|
|
},
|
|
{
|
|
"description": "[Snip3](https://attack.mitre.org/software/S1086) is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including [AsyncRAT](https://attack.mitre.org/software/S1087), [Revenge RAT](https://attack.mitre.org/software/S0379), [Agent Tesla](https://attack.mitre.org/software/S0331), and [NETWIRE](https://attack.mitre.org/software/S0198).(Citation: Morphisec Snip3 May 2021)(Citation: Telefonica Snip3 December 2021)",
|
|
"meta": {
|
|
"external_id": "S1086",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1086",
|
|
"https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader",
|
|
"https://telefonicatech.com/blog/snip3-investigacion-malware"
|
|
],
|
|
"synonyms": [
|
|
"Snip3"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4327aff5-f194-440c-b499-4d9730cc1eab",
|
|
"value": "Snip3 - S1086"
|
|
},
|
|
{
|
|
"description": "[USBStealer](https://attack.mitre.org/software/S0136) is malware that has been used by [APT28](https://attack.mitre.org/groups/G0007) since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with [ADVSTORESHELL](https://attack.mitre.org/software/S0045). (Citation: ESET Sednit USBStealer 2014) (Citation: Kaspersky Sofacy)",
|
|
"meta": {
|
|
"external_id": "S0136",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/",
|
|
"https://attack.mitre.org/software/S0136",
|
|
"https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/"
|
|
],
|
|
"synonyms": [
|
|
"USBStealer",
|
|
"USB Stealer",
|
|
"Win32/USBStealer"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "44909efb-7cd3-42e3-b225-9f3e96b5f362",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "44909efb-7cd3-42e3-b225-9f3e96b5f362",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb",
|
|
"value": "USBStealer - S0136"
|
|
},
|
|
{
|
|
"description": "[Chaes](https://attack.mitre.org/software/S0631) is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. [Chaes](https://attack.mitre.org/software/S0631) was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.(Citation: Cybereason Chaes Nov 2020)",
|
|
"meta": {
|
|
"external_id": "S0631",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0631",
|
|
"https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Chaes"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2cd950a6-16c4-404a-aa01-044322395107",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "77e0ecf7-ca91-4c06-8012-8e728986a87a",
|
|
"value": "Chaes - S0631"
|
|
},
|
|
{
|
|
"description": "[Janicab](https://attack.mitre.org/software/S0163) is an OS X trojan that relied on a valid developer ID and oblivious users to install it. (Citation: Janicab)",
|
|
"meta": {
|
|
"external_id": "S0163",
|
|
"mitre_platforms": [
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"http://www.thesafemac.com/new-signed-malware-called-janicab/",
|
|
"https://attack.mitre.org/software/S0163"
|
|
],
|
|
"synonyms": [
|
|
"Janicab"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c3c20c4b-e12a-42e5-960a-eea4644014f4",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "c3c20c4b-e12a-42e5-960a-eea4644014f4",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "4af4e96f-c92d-4a45-9958-a88ad8deb38d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "234e7770-99b0-4f65-b983-d3230f76a60b",
|
|
"value": "Janicab - S0163"
|
|
},
|
|
{
|
|
"description": "[STARWHALE](https://attack.mitre.org/software/S1037) is Windows Script File (WSF) backdoor that has been used by [MuddyWater](https://attack.mitre.org/groups/G0069), possibly since at least November 2021; there is also a [STARWHALE](https://attack.mitre.org/software/S1037) variant written in Golang with similar capabilities. Security researchers have also noted the use of [STARWHALE](https://attack.mitre.org/software/S1037) by UNC3313, which may be associated with [MuddyWater](https://attack.mitre.org/groups/G0069).(Citation: Mandiant UNC3313 Feb 2022)(Citation: DHS CISA AA22-055A MuddyWater February 2022)",
|
|
"meta": {
|
|
"external_id": "S1037",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1037",
|
|
"https://www.cisa.gov/uscert/ncas/alerts/aa22-055a",
|
|
"https://www.mandiant.com/resources/telegram-malware-iranian-espionage"
|
|
],
|
|
"synonyms": [
|
|
"STARWHALE",
|
|
"CANOPY"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e355fc84-6f3c-4888-8e0a-d7fa9c378532",
|
|
"value": "STARWHALE - S1037"
|
|
},
|
|
{
|
|
"description": "[CORESHELL](https://attack.mitre.org/software/S0137) is a downloader used by [APT28](https://attack.mitre.org/groups/G0007). The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.(Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)",
|
|
"meta": {
|
|
"external_id": "S0137",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0137",
|
|
"https://securelist.com/a-slice-of-2017-sofacy-activity/83930/",
|
|
"https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
|
|
"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
|
|
],
|
|
"synonyms": [
|
|
"CORESHELL",
|
|
"Sofacy",
|
|
"SOURFACE"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "60c18d06-7b91-4742-bae3-647845cd9d81",
|
|
"value": "CORESHELL - S0137"
|
|
},
|
|
{
|
|
"description": "[FLIPSIDE](https://attack.mitre.org/software/S0173) is a simple tool similar to Plink that is used by [FIN5](https://attack.mitre.org/groups/G0053) to maintain access to victims. (Citation: Mandiant FIN5 GrrCON Oct 2016)",
|
|
"meta": {
|
|
"external_id": "S0173",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0173",
|
|
"https://www.youtube.com/watch?v=fevGZs0EQu8"
|
|
],
|
|
"synonyms": [
|
|
"FLIPSIDE"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "0e18b800-906c-4e44-a143-b11c72b3448b",
|
|
"value": "FLIPSIDE - S0173"
|
|
},
|
|
{
|
|
"description": "[POWERTON](https://attack.mitre.org/software/S0371) is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a late-stage backdoor by [APT33](https://attack.mitre.org/groups/G0064). At least two variants of the backdoor have been identified, with the later version containing improved functionality.(Citation: FireEye APT33 Guardrail)",
|
|
"meta": {
|
|
"external_id": "S0371",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0371",
|
|
"https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html"
|
|
],
|
|
"synonyms": [
|
|
"POWERTON"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e85cae1a-bce3-4ac4-b36b-b00acac0567b",
|
|
"value": "POWERTON - S0371"
|
|
},
|
|
{
|
|
"description": "[Marcher](https://attack.mitre.org/software/S0317) is Android malware that is used for financial fraud. (Citation: Proofpoint-Marcher)",
|
|
"meta": {
|
|
"external_id": "S0317",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0317",
|
|
"https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f9854ba6-989d-43bf-828b-7240b8a65291",
|
|
"value": "Marcher - S0317"
|
|
},
|
|
{
|
|
"description": "[Royal](https://attack.mitre.org/software/S1073) is ransomware that first appeared in early 2022; a version that also targets ESXi servers was later observed in February 2023. [Royal](https://attack.mitre.org/software/S1073) employs partial encryption and multiple threads to evade detection and speed encryption. [Royal](https://attack.mitre.org/software/S1073) has been used in attacks against multiple industries worldwide--including critical infrastructure. Security researchers have identified similarities in the encryption routines and TTPs used in [Royal](https://attack.mitre.org/software/S1073) and [Conti](https://attack.mitre.org/software/S0575) attacks and noted a possible connection between their operators.(Citation: Microsoft Royal ransomware November 2022)(Citation: Cybereason Royal December 2022)(Citation: Kroll Royal Deep Dive February 2023)(Citation: Trend Micro Royal Linux ESXi February 2023)(Citation: CISA Royal AA23-061A March 2023)",
|
|
"meta": {
|
|
"external_id": "S1073",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1073",
|
|
"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a",
|
|
"https://www.cybereason.com/blog/royal-ransomware-analysis",
|
|
"https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive",
|
|
"https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/",
|
|
"https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html"
|
|
],
|
|
"synonyms": [
|
|
"Royal"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "802a874d-7463-4f2a-99e3-6a1f5a919a21",
|
|
"value": "Royal - S1073"
|
|
},
|
|
{
|
|
"description": "[OLDBAIT](https://attack.mitre.org/software/S0138) is a credential harvester used by [APT28](https://attack.mitre.org/groups/G0007). (Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)",
|
|
"meta": {
|
|
"external_id": "S0138",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0138",
|
|
"https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
|
|
"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
|
|
],
|
|
"synonyms": [
|
|
"OLDBAIT",
|
|
"Sasfis"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6d1e2736-d363-49aa-9054-9c9e4ac0c520",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6d1e2736-d363-49aa-9054-9c9e4ac0c520",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be",
|
|
"value": "OLDBAIT - S0138"
|
|
},
|
|
{
|
|
"description": "[FlawedAmmyy](https://attack.mitre.org/software/S0381) is a remote access tool (RAT) that was first seen in early 2016. The code for [FlawedAmmyy](https://attack.mitre.org/software/S0381) was based on leaked source code for a version of Ammyy Admin, a remote access software.(Citation: Proofpoint TA505 Mar 2018)",
|
|
"meta": {
|
|
"external_id": "S0381",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0381",
|
|
"https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware"
|
|
],
|
|
"synonyms": [
|
|
"FlawedAmmyy"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "432555de-63bf-4f2a-a3fa-f720a4561078",
|
|
"value": "FlawedAmmyy - S0381"
|
|
},
|
|
{
|
|
"description": "[Chameleon](https://attack.mitre.org/software/S1083) is an Android banking trojan that can leverage Android\u2019s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, [Chameleon](https://attack.mitre.org/software/S1083) has been observed targeting users in Australia and Poland by masquerading as official apps.(Citation: cyble_chameleon_0423)",
|
|
"meta": {
|
|
"external_id": "S1083",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1083",
|
|
"https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"
|
|
],
|
|
"synonyms": [
|
|
"Chameleon"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "948a447c-d783-4ba0-8516-a64140fcacd5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
|
|
"value": "Chameleon - S1083"
|
|
},
|
|
{
|
|
"description": "[HAWKBALL](https://attack.mitre.org/software/S0391) is a backdoor that was observed in targeting of the government sector in Central Asia.(Citation: FireEye HAWKBALL Jun 2019)",
|
|
"meta": {
|
|
"external_id": "S0391",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0391",
|
|
"https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html"
|
|
],
|
|
"synonyms": [
|
|
"HAWKBALL"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "12a7450d-b03e-4990-a5b8-b405ab9c803b",
|
|
"value": "HAWKBALL - S0391"
|
|
},
|
|
{
|
|
"description": "[Allwinner](https://attack.mitre.org/software/S0319) is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) for use on these devices reportedly contained a backdoor. (Citation: HackerNews-Allwinner)",
|
|
"meta": {
|
|
"external_id": "S0319",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0319",
|
|
"https://thehackernews.com/2016/05/android-kernal-exploit.html"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "9558a84e-2d5e-4872-918e-d847494a8ffc",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "08784a9d-09e9-4dce-a839-9612398214e8",
|
|
"value": "Allwinner - S0319"
|
|
},
|
|
{
|
|
"description": "[Bumblebee](https://attack.mitre.org/software/S1039) is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. [Bumblebee](https://attack.mitre.org/software/S1039) has been linked to ransomware operations including [Conti](https://attack.mitre.org/software/S0575), Quantum, and Mountlocker and derived its name from the appearance of \"bumblebee\" in the user-agent.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)\n",
|
|
"meta": {
|
|
"external_id": "S1039",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1039",
|
|
"https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/",
|
|
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime",
|
|
"https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming"
|
|
],
|
|
"synonyms": [
|
|
"Bumblebee"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6e3bd510-6b33-41a4-af80-2d80f3ee0071",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "04378e79-4387-468a-a8f7-f974b8254e44",
|
|
"value": "Bumblebee - S1039"
|
|
},
|
|
{
|
|
"description": "[PowerDuke](https://attack.mitre.org/software/S0139) is a backdoor that was used by [APT29](https://attack.mitre.org/groups/G0016) in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros. (Citation: Volexity PowerDuke November 2016)",
|
|
"meta": {
|
|
"external_id": "S0139",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0139",
|
|
"https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/"
|
|
],
|
|
"synonyms": [
|
|
"PowerDuke"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c79f5876-e3b9-417a-8eaf-8f1b01a0fecd",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c79f5876-e3b9-417a-8eaf-8f1b01a0fecd",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a",
|
|
"value": "PowerDuke - S0139"
|
|
},
|
|
{
|
|
"description": "[FlyTrap](https://attack.mitre.org/software/S1093) is an Android trojan, first detected in March 2021, that uses social engineering tactics to compromise Facebook accounts. [FlyTrap](https://attack.mitre.org/software/S1093) was initially detected through infected apps on the Google Play store, and is believed to have impacted over 10,000 victims across at least 140 countries.(Citation: Trend Micro FlyTrap) ",
|
|
"meta": {
|
|
"external_id": "S1093",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1093",
|
|
"https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/"
|
|
],
|
|
"synonyms": [
|
|
"FlyTrap"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8338393c-cb2e-4ee6-b944-34672499c785",
|
|
"value": "FlyTrap - S1093"
|
|
},
|
|
{
|
|
"description": "[BabyShark](https://attack.mitre.org/software/S0414) is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. (Citation: Unit42 BabyShark Feb 2019)",
|
|
"meta": {
|
|
"external_id": "S0414",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0414",
|
|
"https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/",
|
|
"https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/"
|
|
],
|
|
"synonyms": [
|
|
"BabyShark"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "d1b7830a-fced-4be3-a99c-f495af9d9e1b",
|
|
"value": "BabyShark - S0414"
|
|
},
|
|
{
|
|
"description": "[ChChes](https://attack.mitre.org/software/S0144) is a Trojan that appears to be used exclusively by [menuPass](https://attack.mitre.org/groups/G0045). It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. (Citation: Palo Alto menuPass Feb 2017) (Citation: JPCERT ChChes Feb 2017) (Citation: PWC Cloud Hopper Technical Annex April 2017)",
|
|
"meta": {
|
|
"external_id": "S0144",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://blog.jpcert.or.jp/2017/02/chches-malware--93d6.html",
|
|
"http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/",
|
|
"https://attack.mitre.org/software/S0144",
|
|
"https://twitter.com/ItsReallyNick/status/850105140589633536",
|
|
"https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html",
|
|
"https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf"
|
|
],
|
|
"synonyms": [
|
|
"ChChes",
|
|
"Scorpion",
|
|
"HAYMAKER"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6eee9bf9-ffce-4c88-a5ad-9d80f6fc727c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d71604d2-a17e-4b4e-82be-19cb54f93161",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d71604d2-a17e-4b4e-82be-19cb54f93161",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "6eee9bf9-ffce-4c88-a5ad-9d80f6fc727c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e",
|
|
"value": "ChChes - S0144"
|
|
},
|
|
{
|
|
"description": "[FunnyDream](https://attack.mitre.org/software/S1044) is a backdoor with multiple components that was used during the [FunnyDream](https://attack.mitre.org/campaigns/C0007) campaign since at least 2019, primarily for execution and exfiltration.(Citation: Bitdefender FunnyDream Campaign November 2020)",
|
|
"meta": {
|
|
"external_id": "S1044",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1044",
|
|
"https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf"
|
|
],
|
|
"synonyms": [
|
|
"FunnyDream"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "be25c1c0-1590-4219-a3d5-6f31799d1d1b",
|
|
"value": "FunnyDream - S1044"
|
|
},
|
|
{
|
|
"description": "[PowerShower](https://attack.mitre.org/software/S0441) is a PowerShell backdoor used by [Inception](https://attack.mitre.org/groups/G0100) for initial reconnaissance and to download and execute second stage payloads.(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas August 2019)",
|
|
"meta": {
|
|
"external_id": "S0441",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0441",
|
|
"https://securelist.com/recent-cloud-atlas-activity/92016/",
|
|
"https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/"
|
|
],
|
|
"synonyms": [
|
|
"PowerShower"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "53486bc7-7748-4716-8190-e4f1fde04c53",
|
|
"value": "PowerShower - S0441"
|
|
},
|
|
{
|
|
"description": "[BOOSTWRITE](https://attack.mitre.org/software/S0415) is a loader crafted to be launched via abuse of the DLL search order of applications used by [FIN7](https://attack.mitre.org/groups/G0046).(Citation: FireEye FIN7 Oct 2019)",
|
|
"meta": {
|
|
"external_id": "S0415",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0415",
|
|
"https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html"
|
|
],
|
|
"synonyms": [
|
|
"BOOSTWRITE"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "56d10a7f-bb42-4267-9b4c-63abb9c06010",
|
|
"value": "BOOSTWRITE - S0415"
|
|
},
|
|
{
|
|
"description": "[POWERSOURCE](https://attack.mitre.org/software/S0145) is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. (Citation: FireEye FIN7 March 2017) (Citation: Cisco DNSMessenger March 2017)",
|
|
"meta": {
|
|
"external_id": "S0145",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://blog.talosintelligence.com/2017/03/dnsmessenger.html",
|
|
"https://attack.mitre.org/software/S0145",
|
|
"https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html"
|
|
],
|
|
"synonyms": [
|
|
"POWERSOURCE",
|
|
"DNSMessenger"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ee8ccb36-2596-43a3-a044-b8721dbeb2ab",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ee8ccb36-2596-43a3-a044-b8721dbeb2ab",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351",
|
|
"value": "POWERSOURCE - S0145"
|
|
},
|
|
{
|
|
"description": "[Drinik](https://attack.mitre.org/software/S1054) is an evolving Android banking trojan that was observed targeting customers of around 27 banks in India in August 2021. Initially seen as an SMS stealer in 2016, [Drinik](https://attack.mitre.org/software/S1054) resurfaced as a banking trojan with more advanced capabilities included in subsequent versions between September 2021 and August 2022.(Citation: cyble_drinik_1022)",
|
|
"meta": {
|
|
"external_id": "S1054",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1054",
|
|
"https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
|
|
],
|
|
"synonyms": [
|
|
"Drinik"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "d6e009b7-df5e-447a-bfd2-d5b77374edfe",
|
|
"value": "Drinik - S1054"
|
|
},
|
|
{
|
|
"description": "[LoudMiner](https://attack.mitre.org/software/S0451) is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.(Citation: ESET LoudMiner June 2019)",
|
|
"meta": {
|
|
"external_id": "S0451",
|
|
"mitre_platforms": [
|
|
"macOS",
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0451",
|
|
"https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/"
|
|
],
|
|
"synonyms": [
|
|
"LoudMiner"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "810aa4ad-61c9-49cb-993f-daa06199421d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f99f3dcc-683f-4936-8791-075ac5e58f10",
|
|
"value": "LoudMiner - S0451"
|
|
},
|
|
{
|
|
"description": "[WellMess](https://attack.mitre.org/software/S0514) is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by [APT29](https://attack.mitre.org/groups/G0016).(Citation: CISA WellMess July 2020)(Citation: PWC WellMess July 2020)(Citation: NCSC APT29 July 2020)",
|
|
"meta": {
|
|
"external_id": "S0514",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0514",
|
|
"https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b",
|
|
"https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf",
|
|
"https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html"
|
|
],
|
|
"synonyms": [
|
|
"WellMess"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "3a4197ae-ec63-4162-907b-9a073d1157e4",
|
|
"value": "WellMess - S0514"
|
|
},
|
|
{
|
|
"description": "[TEXTMATE](https://attack.mitre.org/software/S0146) is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with [POWERSOURCE](https://attack.mitre.org/software/S0145) in February 2017. (Citation: FireEye FIN7 March 2017)",
|
|
"meta": {
|
|
"external_id": "S0146",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://blog.talosintelligence.com/2017/03/dnsmessenger.html",
|
|
"https://attack.mitre.org/software/S0146",
|
|
"https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html"
|
|
],
|
|
"synonyms": [
|
|
"TEXTMATE",
|
|
"DNSMessenger"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ee8ccb36-2596-43a3-a044-b8721dbeb2ab",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "ee8ccb36-2596-43a3-a044-b8721dbeb2ab",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47",
|
|
"value": "TEXTMATE - S0146"
|
|
},
|
|
{
|
|
"description": "[CostaBricks](https://attack.mitre.org/software/S0614) is a loader that was used to deploy 32-bit backdoors in the [CostaRicto](https://attack.mitre.org/groups/G0132) campaign.(Citation: BlackBerry CostaRicto November 2020)",
|
|
"meta": {
|
|
"external_id": "S0614",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0614",
|
|
"https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced"
|
|
],
|
|
"synonyms": [
|
|
"CostaBricks"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5d342981-5194-41e7-b33f-8e91998d7d88",
|
|
"value": "CostaBricks - S0614"
|
|
},
|
|
{
|
|
"description": "[SDBbot](https://attack.mitre.org/software/S0461) is a backdoor with installer and loader components that has been used by [TA505](https://attack.mitre.org/groups/G0092) since at least 2019.(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)",
|
|
"meta": {
|
|
"external_id": "S0461",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0461",
|
|
"https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/",
|
|
"https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader"
|
|
],
|
|
"synonyms": [
|
|
"SDBbot"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "92b03a94-7147-4952-9d5a-b4d24da7487c",
|
|
"value": "SDBbot - S0461"
|
|
},
|
|
{
|
|
"description": "[SVCReady](https://attack.mitre.org/software/S1064) is a loader that has been used since at least April 2022 in malicious spam campaigns. Security researchers have noted overlaps between [TA551](https://attack.mitre.org/groups/G0127) activity and [SVCReady](https://attack.mitre.org/software/S1064) distribution, including similarities in file names, lure images, and identical grammatical errors.(Citation: HP SVCReady Jun 2022)",
|
|
"meta": {
|
|
"external_id": "S1064",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1064",
|
|
"https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/"
|
|
],
|
|
"synonyms": [
|
|
"SVCReady"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "7230ded7-3b1a-4d6e-9735-d0ffd47af9f6",
|
|
"value": "SVCReady - S1064"
|
|
},
|
|
{
|
|
"description": "[RDFSNIFFER](https://attack.mitre.org/software/S0416) is a module loaded by [BOOSTWRITE](https://attack.mitre.org/software/S0415) which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.(Citation: FireEye FIN7 Oct 2019)",
|
|
"meta": {
|
|
"external_id": "S0416",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0416",
|
|
"https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html"
|
|
],
|
|
"synonyms": [
|
|
"RDFSNIFFER"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "065196de-d7e8-4888-acfb-b2134022ba1b",
|
|
"value": "RDFSNIFFER - S0416"
|
|
},
|
|
{
|
|
"description": "[TDTESS](https://attack.mitre.org/software/S0164) is a 64-bit .NET binary backdoor used by [CopyKittens](https://attack.mitre.org/groups/G0052). (Citation: ClearSky Wilted Tulip July 2017)",
|
|
"meta": {
|
|
"external_id": "S0164",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf",
|
|
"https://attack.mitre.org/software/S0164"
|
|
],
|
|
"synonyms": [
|
|
"TDTESS"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99d83ee8-6870-4af2-a3c8-cf86baff7cb3",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99d83ee8-6870-4af2-a3c8-cf86baff7cb3",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a",
|
|
"value": "TDTESS - S0164"
|
|
},
|
|
{
|
|
"description": "[PowGoop](https://attack.mitre.org/software/S1046) is a loader that consists of a DLL loader and a PowerShell-based downloader; it has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) as their main loader.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: CYBERCOM Iranian Intel Cyber January 2022)",
|
|
"meta": {
|
|
"external_id": "S1046",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1046",
|
|
"https://www.cisa.gov/uscert/ncas/alerts/aa22-055a",
|
|
"https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/"
|
|
],
|
|
"synonyms": [
|
|
"PowGoop"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c19d19ae-dd58-4584-8469-966bbeaa80e3",
|
|
"value": "PowGoop - S1046"
|
|
},
|
|
{
|
|
"description": "[Kobalos](https://attack.mitre.org/software/S0641) is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. [Kobalos](https://attack.mitre.org/software/S0641) has been deployed against high profile targets, including high-performance computers, academic servers, an endpoint security vendor, and a large internet service provider; it has been found in Europe, North America, and Asia. [Kobalos](https://attack.mitre.org/software/S0641) was first identified in late 2019.(Citation: ESET Kobalos Feb 2021)(Citation: ESET Kobalos Jan 2021)",
|
|
"meta": {
|
|
"external_id": "S0641",
|
|
"mitre_platforms": [
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0641",
|
|
"https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/",
|
|
"https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Kobalos"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "9abdda30-08e0-4ab1-9cf0-d447654c6de9",
|
|
"value": "Kobalos - S0641"
|
|
},
|
|
{
|
|
"description": "[ANDROMEDA](https://attack.mitre.org/software/S1074) is commodity malware that was widespread in the early 2010's and continues to be observed in infections across a wide variety of industries. During the 2022 [C0026](https://attack.mitre.org/campaigns/C0026) campaign, threat actors re-registered expired [ANDROMEDA](https://attack.mitre.org/software/S1074) C2 domains to spread malware to select targets in Ukraine.(Citation: Mandiant Suspected Turla Campaign February 2023)",
|
|
"meta": {
|
|
"external_id": "S1074",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1074",
|
|
"https://www.mandiant.com/resources/blog/turla-galaxy-opportunity"
|
|
],
|
|
"synonyms": [
|
|
"ANDROMEDA"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "dcd9548e-df9e-47c2-81f3-bc084289959d",
|
|
"value": "ANDROMEDA - S1074"
|
|
},
|
|
{
|
|
"description": "[GRIFFON](https://attack.mitre.org/software/S0417) is a JavaScript backdoor used by [FIN7](https://attack.mitre.org/groups/G0046). (Citation: SecureList Griffon May 2019)",
|
|
"meta": {
|
|
"external_id": "S0417",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0417",
|
|
"https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/"
|
|
],
|
|
"synonyms": [
|
|
"GRIFFON"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "04fc1842-f9e4-47cf-8cb8-5c61becad142",
|
|
"value": "GRIFFON - S0417"
|
|
},
|
|
{
|
|
"description": "[Mori](https://attack.mitre.org/software/S1047) is a backdoor that has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least January 2022.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: CYBERCOM Iranian Intel Cyber January 2022)",
|
|
"meta": {
|
|
"external_id": "S1047",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1047",
|
|
"https://www.cisa.gov/uscert/ncas/alerts/aa22-055a",
|
|
"https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/"
|
|
],
|
|
"synonyms": [
|
|
"Mori"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "7e100ca4-e639-48d9-9a9d-8ad84aa7b448",
|
|
"value": "Mori - S1047"
|
|
},
|
|
{
|
|
"description": "[Pteranodon](https://attack.mitre.org/software/S0147) is a custom backdoor used by [Gamaredon Group](https://attack.mitre.org/groups/G0047). (Citation: Palo Alto Gamaredon Feb 2017)",
|
|
"meta": {
|
|
"external_id": "S0147",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0147",
|
|
"https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/",
|
|
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine",
|
|
"https://www.secureworks.com/research/threat-profiles/iron-tilden"
|
|
],
|
|
"synonyms": [
|
|
"Pteranodon",
|
|
"Pterodo"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d5138738-846e-4466-830c-cd2bb6ad09cf",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ea4c2f9c-9df1-477c-8c42-6da1118f2ac4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d5138738-846e-4466-830c-cd2bb6ad09cf",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd",
|
|
"value": "Pteranodon - S0147"
|
|
},
|
|
{
|
|
"description": "[build_downer](https://attack.mitre.org/software/S0471) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)",
|
|
"meta": {
|
|
"external_id": "S0471",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0471",
|
|
"https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf"
|
|
],
|
|
"synonyms": [
|
|
"build_downer"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40",
|
|
"value": "build_downer - S0471"
|
|
},
|
|
{
|
|
"description": "[QUIETEXIT](https://attack.mitre.org/software/S1084) is a novel backdoor, based on the open-source Dropbear SSH client-server software, that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021. [APT29](https://attack.mitre.org/groups/G0016) has deployed [QUIETEXIT](https://attack.mitre.org/software/S1084) on opaque network appliances that typically don't support antivirus or endpoint detection and response tools within a victim environment.(Citation: Mandiant APT29 Eye Spy Email Nov 22)",
|
|
"meta": {
|
|
"external_id": "S1084",
|
|
"mitre_platforms": [
|
|
"Network"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1084",
|
|
"https://www.mandiant.com/resources/blog/unc3524-eye-spy-email"
|
|
],
|
|
"synonyms": [
|
|
"QUIETEXIT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4816d361-f82b-4a18-aa05-b215e7cf9200",
|
|
"value": "QUIETEXIT - S1084"
|
|
},
|
|
{
|
|
"description": "[POWRUNER](https://attack.mitre.org/software/S0184) is a PowerShell script that sends and receives commands to and from the C2 server. (Citation: FireEye APT34 Dec 2017)",
|
|
"meta": {
|
|
"external_id": "S0184",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0184",
|
|
"https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
|
|
],
|
|
"synonyms": [
|
|
"POWRUNER"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "63f6df51-4de3-495a-864f-0a7e30c3b419",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "63f6df51-4de3-495a-864f-0a7e30c3b419",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46",
|
|
"value": "POWRUNER - S0184"
|
|
},
|
|
{
|
|
"description": "[ViceLeaker](https://attack.mitre.org/software/S0418) is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)",
|
|
"meta": {
|
|
"external_id": "S0418",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0418",
|
|
"https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/",
|
|
"https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"
|
|
],
|
|
"synonyms": [
|
|
"ViceLeaker",
|
|
"Triout"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "6fcaf9b0-b509-4644-9f93-556222c81ed2",
|
|
"value": "ViceLeaker - S0418"
|
|
},
|
|
{
|
|
"description": "[RTM](https://attack.mitre.org/software/S0148) is custom malware written in Delphi. It is used by the group of the same name ([RTM](https://attack.mitre.org/groups/G0048)). Newer versions of the malware have been reported publicly as Redaman.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)",
|
|
"meta": {
|
|
"external_id": "S0148",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0148",
|
|
"https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/",
|
|
"https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
|
|
],
|
|
"synonyms": [
|
|
"RTM",
|
|
"Redaman"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6952b4d-e96d-4641-a88f-60074776d553",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6952b4d-e96d-4641-a88f-60074776d553",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
|
|
"value": "RTM - S0148"
|
|
},
|
|
{
|
|
"description": "[SUGARUSH](https://attack.mitre.org/software/S1049) is a small custom backdoor that can establish a reverse shell over TCP to a hard coded C2 address. [SUGARUSH](https://attack.mitre.org/software/S1049) was first identified during analysis of UNC3890's [C0010](https://attack.mitre.org/campaigns/C0010) campaign targeting Israeli companies, which began in late 2020.(Citation: Mandiant UNC3890 Aug 2022)",
|
|
"meta": {
|
|
"external_id": "S1049",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1049",
|
|
"https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping"
|
|
],
|
|
"synonyms": [
|
|
"SUGARUSH"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "44e2a842-415b-47f4-8549-83fbdb8a5674",
|
|
"value": "SUGARUSH - S1049"
|
|
},
|
|
{
|
|
"description": "[SimBad](https://attack.mitre.org/software/S0419) was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name \"SimBad\" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.(Citation: CheckPoint SimBad 2019)",
|
|
"meta": {
|
|
"external_id": "S0419",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0419",
|
|
"https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/"
|
|
],
|
|
"synonyms": [
|
|
"SimBad"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f79c01eb-2954-40d8-a819-00b342f47ce7",
|
|
"value": "SimBad - S0419"
|
|
},
|
|
{
|
|
"description": "[MoonWind](https://attack.mitre.org/software/S0149) is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. (Citation: Palo Alto MoonWind March 2017)",
|
|
"meta": {
|
|
"external_id": "S0149",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/",
|
|
"https://attack.mitre.org/software/S0149"
|
|
],
|
|
"synonyms": [
|
|
"MoonWind"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "76ec1827-68a1-488f-9899-2b788ea8db64",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8465177f-16c8-47fc-a4c8-f4c0409fe460",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f266754c-d0aa-4918-95a3-73b28eaa66e3",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f266754c-d0aa-4918-95a3-73b28eaa66e3",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "76ec1827-68a1-488f-9899-2b788ea8db64",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "8465177f-16c8-47fc-a4c8-f4c0409fe460",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
|
|
"value": "MoonWind - S0149"
|
|
},
|
|
{
|
|
"description": "[StrongPity](https://attack.mitre.org/software/S0491) is an information stealing malware used by [PROMETHIUM](https://attack.mitre.org/groups/G0056).(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)",
|
|
"meta": {
|
|
"external_id": "S0491",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0491",
|
|
"https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html",
|
|
"https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf"
|
|
],
|
|
"synonyms": [
|
|
"StrongPity"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "20945359-3b39-4542-85ef-08ecb4e1c174",
|
|
"value": "StrongPity - S0491"
|
|
},
|
|
{
|
|
"description": "[SharkBot](https://attack.mitre.org/software/S1055) is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.(Citation: nccgroup_sharkbot_0322)",
|
|
"meta": {
|
|
"external_id": "S1055",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1055",
|
|
"https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"
|
|
],
|
|
"synonyms": [
|
|
"SharkBot"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "28fdd23d-aee3-4afe-bc3f-5f1f52929258",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bb4387ab-7a51-468b-bf5f-a9a8612f0303",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fd211238-f767-4599-8c0d-9dca36624626",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "9cd72f5c-bec0-4f7e-bb6d-296937116291",
|
|
"value": "SharkBot - S1055"
|
|
},
|
|
{
|
|
"description": "[WINDSHIELD](https://attack.mitre.org/software/S0155) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)",
|
|
"meta": {
|
|
"external_id": "S0155",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0155",
|
|
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a89ed72c-202d-486b-9349-6ffc0a61e30a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c",
|
|
"value": "WINDSHIELD - S0155"
|
|
},
|
|
{
|
|
"description": "[GoldenEagle](https://attack.mitre.org/software/S0551) is a piece of Android malware that has been used in targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China. Samples have been found as early as 2012.(Citation: Lookout Uyghur Campaign)",
|
|
"meta": {
|
|
"external_id": "S0551",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0551",
|
|
"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
|
|
],
|
|
"synonyms": [
|
|
"GoldenEagle"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "0b9c5d11-651a-4378-b129-5c584d0242c5",
|
|
"value": "GoldenEagle - S0551"
|
|
},
|
|
{
|
|
"description": "[WellMail](https://attack.mitre.org/software/S0515) is a lightweight malware written in Golang used by [APT29](https://attack.mitre.org/groups/G0016), similar in design and structure to [WellMess](https://attack.mitre.org/software/S0514).(Citation: CISA WellMail July 2020)(Citation: NCSC APT29 July 2020)",
|
|
"meta": {
|
|
"external_id": "S0515",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0515",
|
|
"https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c",
|
|
"https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf"
|
|
],
|
|
"synonyms": [
|
|
"WellMail"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "959f3b19-2dc8-48d5-8942-c66813a5101a",
|
|
"value": "WellMail - S0515"
|
|
},
|
|
{
|
|
"description": "[SombRAT](https://attack.mitre.org/software/S0615) is a modular backdoor written in C++ that has been used since at least 2019 to download and execute malicious payloads, including [FIVEHANDS](https://attack.mitre.org/software/S0618) ransomware.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021)",
|
|
"meta": {
|
|
"external_id": "S0615",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0615",
|
|
"https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced",
|
|
"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a",
|
|
"https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html"
|
|
],
|
|
"synonyms": [
|
|
"SombRAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "425771c5-48b4-4ecd-9f95-74ed3fc9da59",
|
|
"value": "SombRAT - S0615"
|
|
},
|
|
{
|
|
"description": "[BoxCaon](https://attack.mitre.org/software/S0651) is a Windows backdoor that was used by [IndigoZebra](https://attack.mitre.org/groups/G0136) in a 2021 spearphishing campaign against Afghan government officials. [BoxCaon](https://attack.mitre.org/software/S0651)'s name stems from similarities shared with the malware family [xCaon](https://attack.mitre.org/software/S0653).(Citation: Checkpoint IndigoZebra July 2021)",
|
|
"meta": {
|
|
"external_id": "S0651",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0651",
|
|
"https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/",
|
|
"https://thehackernews.com/2021/07/indigozebra-apt-hacking-campaign.html"
|
|
],
|
|
"synonyms": [
|
|
"BoxCaon"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "919a056e-5104-43b9-ad55-2ac929108b71",
|
|
"value": "BoxCaon - S0651"
|
|
},
|
|
{
|
|
"description": "[SoreFang](https://attack.mitre.org/software/S0516) is first stage downloader used by [APT29](https://attack.mitre.org/groups/G0016) for exfiltration and to load other malware.(Citation: NCSC APT29 July 2020)(Citation: CISA SoreFang July 2016)",
|
|
"meta": {
|
|
"external_id": "S0516",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0516",
|
|
"https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a",
|
|
"https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf"
|
|
],
|
|
"synonyms": [
|
|
"SoreFang"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e33e4603-afab-402d-b2a1-248d435b5fe0",
|
|
"value": "SoreFang - S0516"
|
|
},
|
|
{
|
|
"description": "[KOMPROGO](https://attack.mitre.org/software/S0156) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050) that is capable of process, file, and registry management. (Citation: FireEye APT32 May 2017)",
|
|
"meta": {
|
|
"external_id": "S0156",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0156",
|
|
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
|
|
],
|
|
"synonyms": [
|
|
"KOMPROGO"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "321e2bd3-2d98-41d6-8402-3949f514c548",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a",
|
|
"value": "KOMPROGO - S0156"
|
|
},
|
|
{
|
|
"description": "[GuLoader](https://attack.mitre.org/software/S0561) is a file downloader that has been used since at least December 2019 to distribute a variety of remote administration tool (RAT) malware, including [NETWIRE](https://attack.mitre.org/software/S0198), [Agent Tesla](https://attack.mitre.org/software/S0331), [NanoCore](https://attack.mitre.org/software/S0336), FormBook, and Parallax RAT.(Citation: Unit 42 NETWIRE April 2020)(Citation: Medium Eli Salem GuLoader April 2021)",
|
|
"meta": {
|
|
"external_id": "S0561",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0561",
|
|
"https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4",
|
|
"https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/"
|
|
],
|
|
"synonyms": [
|
|
"GuLoader"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "45c759ac-b490-48bb-80d4-c8eee3431027",
|
|
"value": "GuLoader - S0561"
|
|
},
|
|
{
|
|
"description": "[OSInfo](https://attack.mitre.org/software/S0165) is a custom tool used by [APT3](https://attack.mitre.org/groups/G0022) to do internal discovery on a victim's computer and network. (Citation: Symantec Buckeye)",
|
|
"meta": {
|
|
"external_id": "S0165",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong",
|
|
"https://attack.mitre.org/software/S0165"
|
|
],
|
|
"synonyms": [
|
|
"OSInfo"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8",
|
|
"value": "OSInfo - S0165"
|
|
},
|
|
{
|
|
"description": "[TianySpy](https://attack.mitre.org/software/S1056) is a mobile malware primarily spread by SMS phishing between September 30 and October 12, 2021. [TianySpy](https://attack.mitre.org/software/S1056) is believed to have targeted credentials associated with membership websites of major Japanese telecommunication services.(Citation: trendmicro_tianyspy_0122) ",
|
|
"meta": {
|
|
"external_id": "S1056",
|
|
"mitre_platforms": [
|
|
"Android",
|
|
"iOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1056",
|
|
"https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"
|
|
],
|
|
"synonyms": [
|
|
"TianySpy"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "29f1f56c-7b7a-4c14-9e39-59577ea2743c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3e091a89-a493-4a6c-8e88-d57be19bb98d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6",
|
|
"value": "TianySpy - S1056"
|
|
},
|
|
{
|
|
"description": "[KOPILUWAK](https://attack.mitre.org/software/S1075) is a JavaScript-based reconnaissance tool that has been used for victim profiling and C2 since at least 2017.(Citation: Mandiant Suspected Turla Campaign February 2023)",
|
|
"meta": {
|
|
"external_id": "S1075",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1075",
|
|
"https://www.mandiant.com/resources/blog/turla-galaxy-opportunity"
|
|
],
|
|
"synonyms": [
|
|
"KOPILUWAK"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "09fcc02f-f9d4-43fa-8609-5e5e186b7103",
|
|
"value": "KOPILUWAK - S1075"
|
|
},
|
|
{
|
|
"description": "[SOUNDBITE](https://attack.mitre.org/software/S0157) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)",
|
|
"meta": {
|
|
"external_id": "S0157",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0157",
|
|
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
|
|
],
|
|
"synonyms": [
|
|
"SOUNDBITE"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4cac204-3d3f-4bb6-84bd-fc27b2f5158c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "f5ac89a7-e129-43b7-bd68-e3cb1e5a3ba2",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "f4cac204-3d3f-4bb6-84bd-fc27b2f5158c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "9ca488bd-9587-48ef-b923-1743523e63b2",
|
|
"value": "SOUNDBITE - S0157"
|
|
},
|
|
{
|
|
"description": "[Pillowmint](https://attack.mitre.org/software/S0517) is a point-of-sale malware used by [FIN7](https://attack.mitre.org/groups/G0046) designed to capture credit card information.(Citation: Trustwave Pillowmint June 2020)",
|
|
"meta": {
|
|
"external_id": "S0517",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0517",
|
|
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/"
|
|
],
|
|
"synonyms": [
|
|
"Pillowmint"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "bd7a9e13-69fa-4243-a5e5-04326a63f9f2",
|
|
"value": "Pillowmint - S0517"
|
|
},
|
|
{
|
|
"description": "[SEASHARPEE](https://attack.mitre.org/software/S0185) is a Web shell that has been used by [OilRig](https://attack.mitre.org/groups/G0049). (Citation: FireEye APT34 Webinar Dec 2017)",
|
|
"meta": {
|
|
"external_id": "S0185",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0185",
|
|
"https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east"
|
|
],
|
|
"synonyms": [
|
|
"SEASHARPEE"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "0998045d-f96e-4284-95ce-3c8219707486",
|
|
"value": "SEASHARPEE - S0185"
|
|
},
|
|
{
|
|
"description": "[PHOREAL](https://attack.mitre.org/software/S0158) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)",
|
|
"meta": {
|
|
"external_id": "S0158",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0158",
|
|
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
|
|
],
|
|
"synonyms": [
|
|
"PHOREAL"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f9c6da03-8cb1-4383-9d52-a614c42082bf",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e",
|
|
"value": "PHOREAL - S0158"
|
|
},
|
|
{
|
|
"description": "[PolyglotDuke](https://attack.mitre.org/software/S0518) is a downloader that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2013. [PolyglotDuke](https://attack.mitre.org/software/S0518) has been used to drop [MiniDuke](https://attack.mitre.org/software/S0051).(Citation: ESET Dukes October 2019)",
|
|
"meta": {
|
|
"external_id": "S0518",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0518",
|
|
"https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf"
|
|
],
|
|
"synonyms": [
|
|
"PolyglotDuke"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "3d57dcc4-be99-4613-9482-d5218f5ec13e",
|
|
"value": "PolyglotDuke - S0518"
|
|
},
|
|
{
|
|
"description": "[Prestige](https://attack.mitre.org/software/S1058) ransomware has been used by [Sandworm Team](https://attack.mitre.org/groups/G0034) since at least March 2022, including against transportation and related logistics industries in Ukraine and Poland in October 2022.(Citation: Microsoft Prestige ransomware October 2022)",
|
|
"meta": {
|
|
"external_id": "S1058",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1058",
|
|
"https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"
|
|
],
|
|
"synonyms": [
|
|
"Prestige"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "1da748a5-875d-4212-9222-b4c23ab861be",
|
|
"value": "Prestige - S1058"
|
|
},
|
|
{
|
|
"description": "[Sardonic](https://attack.mitre.org/software/S1085) is a backdoor written in C and C++ that is known to be used by [FIN8](https://attack.mitre.org/groups/G0061), as early as August 2021 to target a financial institution in the United States. [Sardonic](https://attack.mitre.org/software/S1085) has a plugin system that can load specially made DLLs and execute their functions.(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)",
|
|
"meta": {
|
|
"external_id": "S1085",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1085",
|
|
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor",
|
|
"https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Sardonic"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "0c52f5bc-557d-4083-bd27-66d7cdb794bb",
|
|
"value": "Sardonic - S1085"
|
|
},
|
|
{
|
|
"description": "[SNUGRIDE](https://attack.mitre.org/software/S0159) is a backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045) as first stage malware. (Citation: FireEye APT10 April 2017)",
|
|
"meta": {
|
|
"external_id": "S0159",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0159",
|
|
"https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html"
|
|
],
|
|
"synonyms": [
|
|
"SNUGRIDE"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6a42aa10-5b7e-43b0-8c58-414cdaeda453",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6a42aa10-5b7e-43b0-8c58-414cdaeda453",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "12b524b9-0d94-400f-904f-615f4f764aaf",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870",
|
|
"value": "SNUGRIDE - S0159"
|
|
},
|
|
{
|
|
"description": "[metaMain](https://attack.mitre.org/software/S1059) is a backdoor used by [Metador](https://attack.mitre.org/groups/G1013) to maintain long-term access to compromised machines; it has also been used to decrypt [Mafalda](https://attack.mitre.org/software/S1060) into memory.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)",
|
|
"meta": {
|
|
"external_id": "S1059",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://assets.sentinelone.com/sentinellabs22/metador#page=1",
|
|
"https://attack.mitre.org/software/S1059",
|
|
"https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm"
|
|
],
|
|
"synonyms": [
|
|
"metaMain"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "df350889-4de9-44e5-8cb3-888b8343e97c",
|
|
"value": "metaMain - S1059"
|
|
},
|
|
{
|
|
"description": "[DEATHRANSOM](https://attack.mitre.org/software/S0616) is ransomware written in C that has been used since at least 2020, and has potential overlap with [FIVEHANDS](https://attack.mitre.org/software/S0618) and [HELLOKITTY](https://attack.mitre.org/software/S0617).(Citation: FireEye FiveHands April 2021)",
|
|
"meta": {
|
|
"external_id": "S0616",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0616",
|
|
"https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html"
|
|
],
|
|
"synonyms": [
|
|
"DEATHRANSOM"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "6de9cad1-eed2-4e27-b0b5-39fa29349ea0",
|
|
"value": "DEATHRANSOM - S0616"
|
|
},
|
|
{
|
|
"description": "[RemoteCMD](https://attack.mitre.org/software/S0166) is a custom tool used by [APT3](https://attack.mitre.org/groups/G0022) to execute commands on a remote system similar to SysInternal's PSEXEC functionality. (Citation: Symantec Buckeye)",
|
|
"meta": {
|
|
"external_id": "S0166",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong",
|
|
"https://attack.mitre.org/software/S0166"
|
|
],
|
|
"synonyms": [
|
|
"RemoteCMD"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26",
|
|
"value": "RemoteCMD - S0166"
|
|
},
|
|
{
|
|
"description": "[DarkTortilla](https://attack.mitre.org/software/S1066) is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. [DarkTortilla](https://attack.mitre.org/software/S1066) has been used to deliver popular information stealers, RATs, and payloads such as [Agent Tesla](https://attack.mitre.org/software/S0331), AsyncRat, [NanoCore](https://attack.mitre.org/software/S0336), RedLine, [Cobalt Strike](https://attack.mitre.org/software/S0154), and Metasploit.(Citation: Secureworks DarkTortilla Aug 2022)",
|
|
"meta": {
|
|
"external_id": "S1066",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1066",
|
|
"https://www.secureworks.com/research/darktortilla-malware-analysis"
|
|
],
|
|
"synonyms": [
|
|
"DarkTortilla"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5faaf81a-aa5b-4a4b-bae5-522439e068f8",
|
|
"value": "DarkTortilla - S1066"
|
|
},
|
|
{
|
|
"description": "[FoggyWeb](https://attack.mitre.org/software/S0661) is a passive and highly-targeted backdoor capable of remotely exfiltrating sensitive information from a compromised Active Directory Federated Services (AD FS) server. It has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least early April 2021.(Citation: MSTIC FoggyWeb September 2021)",
|
|
"meta": {
|
|
"external_id": "S0661",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0661",
|
|
"https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/"
|
|
],
|
|
"synonyms": [
|
|
"FoggyWeb"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "72911fe3-f085-40f7-b4f2-f25a4221fe44",
|
|
"value": "FoggyWeb - S0661"
|
|
},
|
|
{
|
|
"description": "[QUIETCANARY](https://attack.mitre.org/software/S1076) is a backdoor tool written in .NET that has been used since at least 2022 to gather and exfiltrate data from victim networks.(Citation: Mandiant Suspected Turla Campaign February 2023)",
|
|
"meta": {
|
|
"external_id": "S1076",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1076",
|
|
"https://www.mandiant.com/resources/blog/turla-galaxy-opportunity"
|
|
],
|
|
"synonyms": [
|
|
"QUIETCANARY",
|
|
"Tunnus"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "93289ecf-4d15-4d6b-a9c3-4ab27e145ef4",
|
|
"value": "QUIETCANARY - S1076"
|
|
},
|
|
{
|
|
"description": "[FluBot](https://attack.mitre.org/software/S1067) is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524)",
|
|
"meta": {
|
|
"external_id": "S1067",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1067",
|
|
"https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/",
|
|
"https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"
|
|
],
|
|
"synonyms": [
|
|
"FluBot"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24a77e53-0751-46fc-b207-99378fb35c08",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5ca3c7ec-55b2-4587-9376-cf6c96f8047a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fd211238-f767-4599-8c0d-9dca36624626",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f5ff006c-702f-4ded-8e60-ca6c540d91bc",
|
|
"value": "FluBot - S1067"
|
|
},
|
|
{
|
|
"description": "[HELLOKITTY](https://attack.mitre.org/software/S0617) is a ransomware written in C++ that shares similar code structure and functionality with [DEATHRANSOM](https://attack.mitre.org/software/S0616) and [FIVEHANDS](https://attack.mitre.org/software/S0618). [HELLOKITTY](https://attack.mitre.org/software/S0617) has been used since at least 2020, targets have included a Polish video game developer and a Brazilian electric power company.(Citation: FireEye FiveHands April 2021)",
|
|
"meta": {
|
|
"external_id": "S0617",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0617",
|
|
"https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html"
|
|
],
|
|
"synonyms": [
|
|
"HELLOKITTY"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5d11d418-95dd-4377-b782-23160dfa17b4",
|
|
"value": "HELLOKITTY - S0617"
|
|
},
|
|
{
|
|
"description": "[Matryoshka](https://attack.mitre.org/software/S0167) is a malware framework used by [CopyKittens](https://attack.mitre.org/groups/G0052) that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015)",
|
|
"meta": {
|
|
"external_id": "S0167",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf",
|
|
"https://attack.mitre.org/software/S0167",
|
|
"https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Matryoshka"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458",
|
|
"value": "Matryoshka - S0167"
|
|
},
|
|
{
|
|
"description": "[Tomiris](https://attack.mitre.org/software/S0671) is a backdoor written in Go that continuously queries its C2 server for executables to download and execute on a victim system. It was first reported in September 2021 during an investigation of a successful DNS hijacking campaign against a Commonwealth of Independent States (CIS) member. Security researchers assess there are similarities between [Tomiris](https://attack.mitre.org/software/S0671) and [GoldMax](https://attack.mitre.org/software/S0588).(Citation: Kaspersky Tomiris Sep 2021)",
|
|
"meta": {
|
|
"external_id": "S0671",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0671",
|
|
"https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/"
|
|
],
|
|
"synonyms": [
|
|
"Tomiris"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "327b3a25-9e60-4431-b3b6-93b9c64eacbc",
|
|
"value": "Tomiris - S0671"
|
|
},
|
|
{
|
|
"description": "[Wingbird](https://attack.mitre.org/software/S0176) is a backdoor that appears to be a version of commercial software [FinFisher](https://attack.mitre.org/software/S0182). It is reportedly used to attack individual computers instead of networks. It was used by [NEODYMIUM](https://attack.mitre.org/groups/G0055) in a May 2016 campaign. (Citation: Microsoft SIR Vol 21) (Citation: Microsoft NEODYMIUM Dec 2016)",
|
|
"meta": {
|
|
"external_id": "S0176",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf",
|
|
"https://attack.mitre.org/software/S0176",
|
|
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
|
|
"https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Wingbird.A!dha"
|
|
],
|
|
"synonyms": [
|
|
"Wingbird"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654",
|
|
"value": "Wingbird - S0176"
|
|
},
|
|
{
|
|
"description": "[FIVEHANDS](https://attack.mitre.org/software/S0618) is a customized version of [DEATHRANSOM](https://attack.mitre.org/software/S0616) ransomware written in C++. [FIVEHANDS](https://attack.mitre.org/software/S0618) has been used since at least 2021, including in Ransomware-as-a-Service (RaaS) campaigns, sometimes along with [SombRAT](https://attack.mitre.org/software/S0615).(Citation: FireEye FiveHands April 2021)(Citation: NCC Group Fivehands June 2021)",
|
|
"meta": {
|
|
"external_id": "S0618",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0618",
|
|
"https://research.nccgroup.com/2021/06/15/handy-guide-to-a-new-fivehands-ransomware-variant/",
|
|
"https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html"
|
|
],
|
|
"synonyms": [
|
|
"FIVEHANDS"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f464354c-7103-47c6-969b-8766f0157ed2",
|
|
"value": "FIVEHANDS - S0618"
|
|
},
|
|
{
|
|
"description": "[BlackCat](https://attack.mitre.org/software/S1068) is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, [BlackCat](https://attack.mitre.org/software/S1068) has been used to target multiple sectors and organizations in various countries and regions in Africa, the Americas, Asia, Australia, and Europe.(Citation: Microsoft BlackCat Jun 2022)(Citation: Sophos BlackCat Jul 2022)(Citation: ACSC BlackCat Apr 2022)",
|
|
"meta": {
|
|
"external_id": "S1068",
|
|
"mitre_platforms": [
|
|
"Linux",
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1068",
|
|
"https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/",
|
|
"https://www.cyber.gov.au/about-us/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat",
|
|
"https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/"
|
|
],
|
|
"synonyms": [
|
|
"BlackCat",
|
|
"ALPHV",
|
|
"Noberus"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "50c44c34-3abb-48ae-9433-a2337de5b0bc",
|
|
"value": "BlackCat - S1068"
|
|
},
|
|
{
|
|
"description": "[DownPaper](https://attack.mitre.org/software/S0186) is a backdoor Trojan; its main functionality is to download and run second stage malware. (Citation: ClearSky Charming Kitten Dec 2017)",
|
|
"meta": {
|
|
"external_id": "S0186",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf",
|
|
"https://attack.mitre.org/software/S0186"
|
|
],
|
|
"synonyms": [
|
|
"DownPaper"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "227862fd-ae83-4e3d-bb69-cc1a45a13aed",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "227862fd-ae83-4e3d-bb69-cc1a45a13aed",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148",
|
|
"value": "DownPaper - S0186"
|
|
},
|
|
{
|
|
"description": "[Gazer](https://attack.mitre.org/software/S0168) is a backdoor used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2016. (Citation: ESET Gazer Aug 2017)",
|
|
"meta": {
|
|
"external_id": "S0168",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0168",
|
|
"https://securelist.com/introducing-whitebear/81638/",
|
|
"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/",
|
|
"https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Gazer",
|
|
"WhiteBear"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a3047b3-6a38-48ff-8f9c-49a5c28e3ada",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a3047b3-6a38-48ff-8f9c-49a5c28e3ada",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "76abb3ef-dafd-4762-97cb-a35379429db4",
|
|
"value": "Gazer - S0168"
|
|
},
|
|
{
|
|
"description": "[Lizar](https://attack.mitre.org/software/S0681) is a modular remote access tool written using the .NET Framework that shares structural similarities to [Carbanak](https://attack.mitre.org/software/S0030). It has likely been used by [FIN7](https://attack.mitre.org/groups/G0046) since at least February 2021.(Citation: BiZone Lizar May 2021)(Citation: Threatpost Lizar May 2021)(Citation: Gemini FIN7 Oct 2021)",
|
|
"meta": {
|
|
"external_id": "S0681",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0681",
|
|
"https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319",
|
|
"https://geminiadvisory.io/fin7-ransomware-bastion-secure/",
|
|
"https://threatpost.com/fin7-backdoor-ethical-hacking-tool/166194/"
|
|
],
|
|
"synonyms": [
|
|
"Lizar",
|
|
"Tirion"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bc31b94-045b-4752-8920-aebaebdb6470",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f74a5069-015d-4404-83ad-5ca01056c0dc",
|
|
"value": "Lizar - S0681"
|
|
},
|
|
{
|
|
"description": "[PUNCHBUGGY](https://attack.mitre.org/software/S0196) is a backdoor malware used by [FIN8](https://attack.mitre.org/groups/G0061) that has been observed targeting POS networks in the hospitality industry. (Citation: Morphisec ShellTea June 2019)(Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)",
|
|
"meta": {
|
|
"external_id": "S0196",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://blog.morphisec.com/security-alert-fin8-is-back",
|
|
"https://attack.mitre.org/software/S0196",
|
|
"https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html",
|
|
"https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html"
|
|
],
|
|
"synonyms": [
|
|
"PUNCHBUGGY",
|
|
"ShellTea"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c",
|
|
"value": "PUNCHBUGGY - S0196"
|
|
},
|
|
{
|
|
"description": "[TangleBot](https://attack.mitre.org/software/S1069) is SMS malware that was initially observed in September 2021, primarily targeting mobile users in the United States and Canada. [TangleBot](https://attack.mitre.org/software/S1069) has used SMS text message lures about COVID-19 regulations and vaccines to trick mobile users into downloading the malware, similar to [FluBot](https://attack.mitre.org/software/S1067) Android malware campaigns.(Citation: cloudmark_tanglebot_0921)",
|
|
"meta": {
|
|
"external_id": "S1069",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1069",
|
|
"https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"
|
|
],
|
|
"synonyms": [
|
|
"TangleBot"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "68156e5a-4c3a-46dd-9c5e-c0bfdec6651f",
|
|
"value": "TangleBot - S1069"
|
|
},
|
|
{
|
|
"description": "[Neoichor](https://attack.mitre.org/software/S0691) is C2 malware used by [Ke3chang](https://attack.mitre.org/groups/G0004) since at least 2019; similar malware families used by the group include Leeson and Numbldea.(Citation: Microsoft NICKEL December 2021)",
|
|
"meta": {
|
|
"external_id": "S0691",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0691",
|
|
"https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe"
|
|
],
|
|
"synonyms": [
|
|
"Neoichor"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4d7bf2ac-f953-4907-b114-be44dc174d67",
|
|
"value": "Neoichor - S0691"
|
|
},
|
|
{
|
|
"description": "[RawPOS](https://attack.mitre.org/software/S0169) is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008. (Citation: Kroll RawPOS Jan 2017) (Citation: TrendMicro RawPOS April 2015) (Citation: Visa RawPOS March 2015) FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD. (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)",
|
|
"meta": {
|
|
"external_id": "S0169",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://sjc1-te-ftp.trendmicro.com/images/tex/pdf/RawPOS%20Technical%20Brief.pdf",
|
|
"https://attack.mitre.org/software/S0169",
|
|
"https://github.com/DiabloHorn/mempdump",
|
|
"https://usa.visa.com/dam/VCOM/download/merchants/alert-rawpos.pdf",
|
|
"https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?",
|
|
"https://www.kroll.com/en/insights/publications/malware-analysis-report-rawpos-malware",
|
|
"https://www.youtube.com/watch?v=fevGZs0EQu8"
|
|
],
|
|
"synonyms": [
|
|
"RawPOS",
|
|
"FIENDCRY",
|
|
"DUEBREW",
|
|
"DRIFTWOOD"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "80f87001-ff40-4e33-bd12-12ed1a92d1d7",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "80f87001-ff40-4e33-bd12-12ed1a92d1d7",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "9752aef4-a1f3-4328-929f-b64eb0536090",
|
|
"value": "RawPOS - S0169"
|
|
},
|
|
{
|
|
"description": "[Hornbill](https://attack.mitre.org/software/S1077) is one of two mobile malware families known to be used by the APT [Confucius](https://attack.mitre.org/groups/G0142). Analysis suggests that [Hornbill](https://attack.mitre.org/software/S1077) was first active in early 2018. While [Hornbill](https://attack.mitre.org/software/S1077) and [Sunbird](https://attack.mitre.org/software/S1082) overlap in core capabilities, [Hornbill](https://attack.mitre.org/software/S1077) has tools and behaviors suggesting more passive reconnaissance.(Citation: lookout_hornbill_sunbird_0221)",
|
|
"meta": {
|
|
"external_id": "S1077",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1077",
|
|
"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"
|
|
],
|
|
"synonyms": [
|
|
"Hornbill"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24a77e53-0751-46fc-b207-99378fb35c08",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "15d78a95-af6a-4b06-8dae-76bedb0ec5a1",
|
|
"value": "Hornbill - S1077"
|
|
},
|
|
{
|
|
"description": "[Daserf](https://attack.mitre.org/software/S0187) is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. (Citation: Trend Micro Daserf Nov 2017) (Citation: Secureworks BRONZE BUTLER Oct 2017)",
|
|
"meta": {
|
|
"external_id": "S0187",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/",
|
|
"https://attack.mitre.org/software/S0187",
|
|
"https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
|
|
],
|
|
"synonyms": [
|
|
"Daserf",
|
|
"Muirim",
|
|
"Nioupale"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "70f6c71f-bc0c-4889-86e3-ef04e5b8415b",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "70f6c71f-bc0c-4889-86e3-ef04e5b8415b",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a",
|
|
"value": "Daserf - S0187"
|
|
},
|
|
{
|
|
"description": "[RotaJakiro](https://attack.mitre.org/software/S1078) is a 64-bit Linux backdoor used by [APT32](https://attack.mitre.org/groups/G0050). First seen in 2018, it uses a plugin architecture to extend capabilities. [RotaJakiro](https://attack.mitre.org/software/S1078) can determine it's permission level and execute according to access type (`root` or `user`).(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: netlab360 rotajakiro vs oceanlotus)",
|
|
"meta": {
|
|
"external_id": "S1078",
|
|
"mitre_platforms": [
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1078",
|
|
"https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/",
|
|
"https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/"
|
|
],
|
|
"synonyms": [
|
|
"RotaJakiro"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0232cb0-ded5-4c2e-9dc7-2893142a5c11",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "08e844a8-371f-4fe3-9d1f-e056e64a7fde",
|
|
"value": "RotaJakiro - S1078"
|
|
},
|
|
{
|
|
"description": "[Truvasys](https://attack.mitre.org/software/S0178) is first-stage malware that has been used by [PROMETHIUM](https://attack.mitre.org/groups/G0056). It is a collection of modules written in the Delphi programming language. (Citation: Microsoft Win Defender Truvasys Sep 2017) (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)",
|
|
"meta": {
|
|
"external_id": "S0178",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf",
|
|
"https://attack.mitre.org/software/S0178",
|
|
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
|
|
"https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Truvasys.A!dha"
|
|
],
|
|
"synonyms": [
|
|
"Truvasys"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad",
|
|
"value": "Truvasys - S0178"
|
|
},
|
|
{
|
|
"description": "[PUNCHTRACK](https://attack.mitre.org/software/S0197) is non-persistent point of sale (POS) system malware utilized by [FIN8](https://attack.mitre.org/groups/G0061) to scrape payment card data. (Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)",
|
|
"meta": {
|
|
"external_id": "S0197",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0197",
|
|
"https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html",
|
|
"https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html"
|
|
],
|
|
"synonyms": [
|
|
"PUNCHTRACK",
|
|
"PSVC"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c4de7d83-e875-4c88-8b5d-06c41e5b7e79",
|
|
"value": "PUNCHTRACK - S0197"
|
|
},
|
|
{
|
|
"description": "[BOULDSPY](https://attack.mitre.org/software/S1079) is an Android malware, detected in early 2023, with surveillance and remote-control capabilities. Analysis of exfiltrated C2 data suggests that [BOULDSPY](https://attack.mitre.org/software/S1079) primarily targeted minority groups in Iran.(Citation: lookout_bouldspy_0423)",
|
|
"meta": {
|
|
"external_id": "S1079",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1079",
|
|
"https://www.lookout.com/blog/iranian-spyware-bouldspy"
|
|
],
|
|
"synonyms": [
|
|
"BOULDSPY"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d3bc5020-f6a2-41c0-8ccb-5e563101b60c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d446b9f0-06a9-4a8d-97ee-298cfee84f14",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
|
|
"value": "BOULDSPY - S1079"
|
|
},
|
|
{
|
|
"description": "[Disco](https://attack.mitre.org/software/S1088) is a custom implant that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2020 including in campaigns using targeted malicious content injection for initial access and command and control.(Citation: MoustachedBouncer ESET August 2023)",
|
|
"meta": {
|
|
"external_id": "S1088",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1088",
|
|
"https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/"
|
|
],
|
|
"synonyms": [
|
|
"Disco"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43c9bc06-715b-42db-972f-52d25c09a20c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e1445afd-c359-45ed-8f27-626dc4d5e157",
|
|
"value": "Disco - S1088"
|
|
},
|
|
{
|
|
"description": "[Starloader](https://attack.mitre.org/software/S0188) is a loader component that has been observed loading [Felismus](https://attack.mitre.org/software/S0171) and associated tools. (Citation: Symantec Sowbug Nov 2017)",
|
|
"meta": {
|
|
"external_id": "S0188",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0188",
|
|
"https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments"
|
|
],
|
|
"synonyms": [
|
|
"Starloader"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4",
|
|
"value": "Starloader - S0188"
|
|
},
|
|
{
|
|
"description": "[SharpDisco](https://attack.mitre.org/software/S1089) is a dropper developed in C# that has been used by [MoustachedBouncer](https://attack.mitre.org/groups/G1019) since at least 2020 to load malicious plugins.(Citation: MoustachedBouncer ESET August 2023)",
|
|
"meta": {
|
|
"external_id": "S1089",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S1089",
|
|
"https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/"
|
|
],
|
|
"synonyms": [
|
|
"SharpDisco"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "1fefb062-feda-484a-8f10-0cebf65e20e3",
|
|
"value": "SharpDisco - S1089"
|
|
},
|
|
{
|
|
"description": "[NETWIRE](https://attack.mitre.org/software/S0198) is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.(Citation: FireEye APT33 Sept 2017)(Citation: McAfee Netwire Mar 2015)(Citation: FireEye APT33 Webinar Sept 2017)",
|
|
"meta": {
|
|
"external_id": "S0198",
|
|
"mitre_platforms": [
|
|
"Windows",
|
|
"Linux",
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0198",
|
|
"https://securingtomorrow.mcafee.com/mcafee-labs/netwire-rat-behind-recent-targeted-attacks/",
|
|
"https://www.brighttalk.com/webcast/10703/275683",
|
|
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html"
|
|
],
|
|
"synonyms": [
|
|
"NETWIRE"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "84601337-6a55-4ad7-9c35-79e0d1ea2ab3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0232cb0-ded5-4c2e-9dc7-2893142a5c11",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "2a70812b-f1ef-44db-8578-a496a227aef2",
|
|
"value": "NETWIRE - S0198"
|
|
},
|
|
{
|
|
"description": "[ISMInjector](https://attack.mitre.org/software/S0189) is a Trojan used to install another [OilRig](https://attack.mitre.org/groups/G0049) backdoor, ISMAgent. (Citation: OilRig New Delivery Oct 2017)",
|
|
"meta": {
|
|
"external_id": "S0189",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0189",
|
|
"https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/"
|
|
],
|
|
"synonyms": [
|
|
"ISMInjector"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324",
|
|
"value": "ISMInjector - S0189"
|
|
},
|
|
{
|
|
"description": "[TURNEDUP](https://attack.mitre.org/software/S0199) is a non-public backdoor. It has been dropped by [APT33](https://attack.mitre.org/groups/G0064)'s [StoneDrill](https://attack.mitre.org/software/S0380) malware. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)",
|
|
"meta": {
|
|
"external_id": "S0199",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0199",
|
|
"https://www.brighttalk.com/webcast/10703/275683",
|
|
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html"
|
|
],
|
|
"synonyms": [
|
|
"TURNEDUP"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fab34d66-5668-460a-bc0f-250b9417cdbf",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "fab34d66-5668-460a-bc0f-250b9417cdbf",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c",
|
|
"value": "TURNEDUP - S0199"
|
|
},
|
|
{
|
|
"description": "[CCBkdr](https://attack.mitre.org/software/S0222) is malware that was injected into a signed version of CCleaner and distributed from CCleaner's distribution website. (Citation: Talos CCleanup 2017) (Citation: Intezer Aurora Sept 2017)",
|
|
"meta": {
|
|
"external_id": "S0222",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html",
|
|
"http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/",
|
|
"https://attack.mitre.org/software/S0222"
|
|
],
|
|
"synonyms": [
|
|
"CCBkdr"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b0f13390-cec7-4814-b37c-ccec01887faa",
|
|
"value": "CCBkdr - S0222"
|
|
},
|
|
{
|
|
"description": "[POWERSTATS](https://attack.mitre.org/software/S0223) is a PowerShell-based first stage backdoor used by [MuddyWater](https://attack.mitre.org/groups/G0069). (Citation: Unit 42 MuddyWater Nov 2017)",
|
|
"meta": {
|
|
"external_id": "S0223",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0223",
|
|
"https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/",
|
|
"https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf",
|
|
"https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group"
|
|
],
|
|
"synonyms": [
|
|
"POWERSTATS",
|
|
"Powermud"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e8545794-b98c-492b-a5b3-4b5a02682e37",
|
|
"value": "POWERSTATS - S0223"
|
|
},
|
|
{
|
|
"description": "[HummingBad](https://attack.mitre.org/software/S0322) is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android. (Citation: ArsTechnica-HummingBad)",
|
|
"meta": {
|
|
"external_id": "S0322",
|
|
"refs": [
|
|
"http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/",
|
|
"https://attack.mitre.org/software/S0322"
|
|
],
|
|
"synonyms": [
|
|
"HummingBad"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5cacc72-f02a-42d1-a020-7a59650086bb",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "f5cacc72-f02a-42d1-a020-7a59650086bb",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c8770c81-c29f-40d2-a140-38544206b2b4",
|
|
"value": "HummingBad - S0322"
|
|
},
|
|
{
|
|
"description": "[HOMEFRY](https://attack.mitre.org/software/S0232) is a 64-bit Windows password dumper/cracker that has previously been used in conjunction with other [Leviathan](https://attack.mitre.org/groups/G0065) backdoors. (Citation: FireEye Periscope March 2018)",
|
|
"meta": {
|
|
"external_id": "S0232",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0232",
|
|
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"
|
|
],
|
|
"synonyms": [
|
|
"HOMEFRY"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "7451bcf9-e6e6-4a70-bc3d-1599173d0035",
|
|
"value": "HOMEFRY - S0232"
|
|
},
|
|
{
|
|
"description": "[SynAck](https://attack.mitre.org/software/S0242) is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. (Citation: SecureList SynAck Doppelg\u00e4nging May 2018) (Citation: Kaspersky Lab SynAck May 2018)",
|
|
"meta": {
|
|
"external_id": "S0242",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0242",
|
|
"https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/",
|
|
"https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging"
|
|
],
|
|
"synonyms": [
|
|
"SynAck"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "04227b24-7817-4de1-9050-b7b1b57f5866",
|
|
"value": "SynAck - S0242"
|
|
},
|
|
{
|
|
"description": "[Anubis](https://attack.mitre.org/software/S0422) is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.(Citation: Cofense Anubis)",
|
|
"meta": {
|
|
"external_id": "S0422",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0422",
|
|
"https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"
|
|
],
|
|
"synonyms": [
|
|
"Anubis"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "986f80f7-ff0e-4f48-87bd-0394814bbce5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
|
|
"value": "Anubis - S0422"
|
|
},
|
|
{
|
|
"description": "[Exobot](https://attack.mitre.org/software/S0522) is Android banking malware, primarily targeting financial institutions in Germany, Austria, and France.(Citation: Threat Fabric Exobot)",
|
|
"meta": {
|
|
"external_id": "S0522",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0522",
|
|
"https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks",
|
|
"https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"
|
|
],
|
|
"synonyms": [
|
|
"Exobot",
|
|
"Marcher"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d44f529-6fe6-489f-8a01-6261ac43f05e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5ca3c7ec-55b2-4587-9376-cf6c96f8047a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eb6cf439-1bcb-4d10-bc68-1eed844ed7b3",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c91cec55-634c-4670-ba10-2dc7ceb28e98",
|
|
"value": "Exobot - S0522"
|
|
},
|
|
{
|
|
"description": "[AppleSeed](https://attack.mitre.org/software/S0622) is a backdoor that has been used by [Kimsuky](https://attack.mitre.org/groups/G0094) to target South Korean government, academic, and commercial targets since at least 2021.(Citation: Malwarebytes Kimsuky June 2021)",
|
|
"meta": {
|
|
"external_id": "S0622",
|
|
"mitre_platforms": [
|
|
"Windows",
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0622",
|
|
"https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/"
|
|
],
|
|
"synonyms": [
|
|
"AppleSeed"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "295721d2-ee20-4fa3-ade3-37f4146b4570",
|
|
"value": "AppleSeed - S0622"
|
|
},
|
|
{
|
|
"description": "[NDiskMonitor](https://attack.mitre.org/software/S0272) is a custom backdoor written in .NET that appears to be unique to [Patchwork](https://attack.mitre.org/groups/G0040). (Citation: TrendMicro Patchwork Dec 2017)",
|
|
"meta": {
|
|
"external_id": "S0272",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0272",
|
|
"https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf"
|
|
],
|
|
"synonyms": [
|
|
"NDiskMonitor"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "d1183cb9-258e-4f2f-8415-50ac8252c49e",
|
|
"value": "NDiskMonitor - S0272"
|
|
},
|
|
{
|
|
"description": "[NanHaiShu](https://attack.mitre.org/software/S0228) is a remote access tool and JScript backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065). [NanHaiShu](https://attack.mitre.org/software/S0228) has been used to target government and private-sector organizations that have relations to the South China Sea dispute. (Citation: Proofpoint Leviathan Oct 2017) (Citation: fsecure NanHaiShu July 2016)",
|
|
"meta": {
|
|
"external_id": "S0228",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0228",
|
|
"https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf",
|
|
"https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets"
|
|
],
|
|
"synonyms": [
|
|
"NanHaiShu"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7abd6950-7a07-4d9e-ade1-62414fa50619",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7abd6950-7a07-4d9e-ade1-62414fa50619",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "705f0783-5f7d-4491-b6b7-9628e6e006d2",
|
|
"value": "NanHaiShu - S0228"
|
|
},
|
|
{
|
|
"description": "[MacSpy](https://attack.mitre.org/software/S0282) is a malware-as-a-service offered on the darkweb (Citation: objsee mac malware 2017).",
|
|
"meta": {
|
|
"external_id": "S0282",
|
|
"mitre_platforms": [
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0282",
|
|
"https://objective-see.com/blog/blog_0x25.html"
|
|
],
|
|
"synonyms": [
|
|
"MacSpy"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f72251cb-2be5-421f-a081-99c29a1209e7",
|
|
"value": "MacSpy - S0282"
|
|
},
|
|
{
|
|
"description": "[AndroRAT](https://attack.mitre.org/software/S0292) is malware that allows a third party to control the device and collect information. (Citation: Lookout-EnterpriseApps)",
|
|
"meta": {
|
|
"external_id": "S0292",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0292",
|
|
"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "80447111-8085-40a4-a052-420926091ac6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "80447111-8085-40a4-a052-420926091ac6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93",
|
|
"value": "AndroRAT - S0292"
|
|
},
|
|
{
|
|
"description": "[Orz](https://attack.mitre.org/software/S0229) is a custom JavaScript backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065). It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. (Citation: Proofpoint Leviathan Oct 2017) (Citation: FireEye Periscope March 2018)",
|
|
"meta": {
|
|
"external_id": "S0229",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0229",
|
|
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html",
|
|
"https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets"
|
|
],
|
|
"synonyms": [
|
|
"Orz",
|
|
"AIRBREAK"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fd419da6-5c0d-461e-96ee-64397efac63b",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "fd419da6-5c0d-461e-96ee-64397efac63b",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "06d735e7-1db1-4dbe-ab4b-acbe419f902b",
|
|
"value": "Orz - S0229"
|
|
},
|
|
{
|
|
"description": "[Charger](https://attack.mitre.org/software/S0323) is Android malware that steals steals contacts and SMS messages from the user's device. It can also lock the device and demand ransom payment if it receives admin permissions. (Citation: CheckPoint-Charger)",
|
|
"meta": {
|
|
"external_id": "S0323",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"http://blog.checkpoint.com/2017/01/24/charger-malware/",
|
|
"https://attack.mitre.org/software/S0323"
|
|
],
|
|
"synonyms": [
|
|
"Charger"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "6e0545df-8df6-4990-971c-e96c4c60d561",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eb6cf439-1bcb-4d10-bc68-1eed844ed7b3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6e0545df-8df6-4990-971c-e96c4c60d561",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "d1c600f8-0fb6-4367-921b-85b71947d950",
|
|
"value": "Charger - S0323"
|
|
},
|
|
{
|
|
"description": "[MURKYTOP](https://attack.mitre.org/software/S0233) is a reconnaissance tool used by [Leviathan](https://attack.mitre.org/groups/G0065). (Citation: FireEye Periscope March 2018)",
|
|
"meta": {
|
|
"external_id": "S0233",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0233",
|
|
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"
|
|
],
|
|
"synonyms": [
|
|
"MURKYTOP"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "049ff071-0b3c-4712-95d2-d21c6aa54501",
|
|
"value": "MURKYTOP - S0233"
|
|
},
|
|
{
|
|
"description": "[Bread](https://attack.mitre.org/software/S0432) was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store\u2019s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.(Citation: Google Bread)",
|
|
"meta": {
|
|
"external_id": "S0432",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0432",
|
|
"https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html"
|
|
],
|
|
"synonyms": [
|
|
"Bread",
|
|
"Joker"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "51636761-2e35-44bf-9e56-e337adf97174",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "52eff1c7-dd30-4121-b762-24ae6fa61bbb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "108b2817-bc01-404e-8e1b-8cdeec846326",
|
|
"value": "Bread - S0432"
|
|
},
|
|
{
|
|
"description": "[Bandook](https://attack.mitre.org/software/S0234) is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. [Bandook](https://attack.mitre.org/software/S0234) has been used by [Dark Caracal](https://attack.mitre.org/groups/G0070), as well as in a separate campaign referred to as \"Operation Manul\".(Citation: EFF Manul Aug 2016)(Citation: Lookout Dark Caracal Jan 2018)(Citation: CheckPoint Bandook Nov 2020)",
|
|
"meta": {
|
|
"external_id": "S0234",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0234",
|
|
"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
|
|
"https://research.checkpoint.com/2020/bandook-signed-delivered/",
|
|
"https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Bandook"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "835a79f1-842d-472d-b8f4-d54b545c341b",
|
|
"value": "Bandook - S0234"
|
|
},
|
|
{
|
|
"description": "[DealersChoice](https://attack.mitre.org/software/S0243) is a Flash exploitation framework used by [APT28](https://attack.mitre.org/groups/G0007). (Citation: Sofacy DealersChoice)",
|
|
"meta": {
|
|
"external_id": "S0243",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0243",
|
|
"https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/"
|
|
],
|
|
"synonyms": [
|
|
"DealersChoice"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8f460983-1bbb-4e7e-8094-f0b5e720f658",
|
|
"value": "DealersChoice - S0243"
|
|
},
|
|
{
|
|
"description": "[SpyDealer](https://attack.mitre.org/software/S0324) is Android malware that exfiltrates sensitive data from Android devices. (Citation: PaloAlto-SpyDealer)",
|
|
"meta": {
|
|
"external_id": "S0324",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0324",
|
|
"https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
|
|
],
|
|
"synonyms": [
|
|
"SpyDealer"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
|
|
"value": "SpyDealer - S0324"
|
|
},
|
|
{
|
|
"description": "[GreyEnergy](https://attack.mitre.org/software/S0342) is a backdoor written in C and compiled in Visual Studio. [GreyEnergy](https://attack.mitre.org/software/S0342) shares similarities with the [BlackEnergy](https://attack.mitre.org/software/S0089) malware and is thought to be the successor of it.(Citation: ESET GreyEnergy Oct 2018)",
|
|
"meta": {
|
|
"external_id": "S0342",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0342",
|
|
"https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf"
|
|
],
|
|
"synonyms": [
|
|
"GreyEnergy"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "308b3d68-a084-4dfb-885a-3125e1a9c1e8",
|
|
"value": "GreyEnergy - S0342"
|
|
},
|
|
{
|
|
"description": "[Ginp](https://attack.mitre.org/software/S0423) is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from [Anubis](https://attack.mitre.org/software/S0422).(Citation: ThreatFabric Ginp)",
|
|
"meta": {
|
|
"external_id": "S0423",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0423",
|
|
"https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"
|
|
],
|
|
"synonyms": [
|
|
"Ginp"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "6146be90-470c-4049-bb3a-9986b8ffb65b",
|
|
"value": "Ginp - S0423"
|
|
},
|
|
{
|
|
"description": "[CrossRAT](https://attack.mitre.org/software/S0235) is a cross platform RAT.",
|
|
"meta": {
|
|
"external_id": "S0235",
|
|
"mitre_platforms": [
|
|
"Linux",
|
|
"Windows",
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0235",
|
|
"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
|
|
],
|
|
"synonyms": [
|
|
"CrossRAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0232cb0-ded5-4c2e-9dc7-2893142a5c11",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a5e91d50-24fa-44ec-9894-39a88f658cea",
|
|
"value": "CrossRAT - S0235"
|
|
},
|
|
{
|
|
"description": "[RunningRAT](https://attack.mitre.org/software/S0253) is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Winter Olympics along with [Gold Dragon](https://attack.mitre.org/software/S0249) and [Brave Prince](https://attack.mitre.org/software/S0252). (Citation: McAfee Gold Dragon)",
|
|
"meta": {
|
|
"external_id": "S0253",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0253",
|
|
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/"
|
|
],
|
|
"synonyms": [
|
|
"RunningRAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "60d50676-459a-47dd-92e9-a827a9fe9c58",
|
|
"value": "RunningRAT - S0253"
|
|
},
|
|
{
|
|
"description": "[Judy](https://attack.mitre.org/software/S0325) is auto-clicking adware that was distributed through multiple apps in the Google Play Store. (Citation: CheckPoint-Judy)",
|
|
"meta": {
|
|
"external_id": "S0325",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0325",
|
|
"https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "172444ab-97fc-4d94-b142-179452bfb760",
|
|
"value": "Judy - S0325"
|
|
},
|
|
{
|
|
"description": "[Lucifer](https://attack.mitre.org/software/S0532) is a crypto miner and DDoS hybrid malware that leverages well-known exploits to spread laterally on Windows platforms.(Citation: Unit 42 Lucifer June 2020)",
|
|
"meta": {
|
|
"external_id": "S0532",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0532",
|
|
"https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/"
|
|
],
|
|
"synonyms": [
|
|
"Lucifer"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "54a73038-1937-4d71-a253-316e76d5413c",
|
|
"value": "Lucifer - S0532"
|
|
},
|
|
{
|
|
"description": "[TYPEFRAME](https://attack.mitre.org/software/S0263) is a remote access tool that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032). (Citation: US-CERT TYPEFRAME June 2018)",
|
|
"meta": {
|
|
"external_id": "S0263",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0263",
|
|
"https://www.us-cert.gov/ncas/analysis-reports/AR18-165A"
|
|
],
|
|
"synonyms": [
|
|
"TYPEFRAME"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "7ba0fc46-197d-466d-8b9f-f1c64d5d81e5",
|
|
"value": "TYPEFRAME - S0263"
|
|
},
|
|
{
|
|
"description": "[GrimAgent](https://attack.mitre.org/software/S0632) is a backdoor that has been used before the deployment of [Ryuk](https://attack.mitre.org/software/S0446) ransomware since at least 2020; it is likely used by [FIN6](https://attack.mitre.org/groups/G0037) and [Wizard Spider](https://attack.mitre.org/groups/G0102).(Citation: Group IB GrimAgent July 2021)",
|
|
"meta": {
|
|
"external_id": "S0632",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0632",
|
|
"https://gibnc.group-ib.com/s/Group-IB_GrimAgent_analysis#pdfviewer"
|
|
],
|
|
"synonyms": [
|
|
"GrimAgent"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c9b99d03-ff11-4a48-95f0-82660d582c25",
|
|
"value": "GrimAgent - S0632"
|
|
},
|
|
{
|
|
"description": "[RedDrop](https://attack.mitre.org/software/S0326) is an Android malware family that exfiltrates sensitive data from devices. (Citation: Wandera-RedDrop)",
|
|
"meta": {
|
|
"external_id": "S0326",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0326",
|
|
"https://www.wandera.com/reddrop-malware/"
|
|
],
|
|
"synonyms": [
|
|
"RedDrop"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
|
|
"value": "RedDrop - S0326"
|
|
},
|
|
{
|
|
"description": "[Kwampirs](https://attack.mitre.org/software/S0236) is a backdoor Trojan used by [Orangeworm](https://attack.mitre.org/groups/G0071). It has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. (Citation: Symantec Orangeworm April 2018)",
|
|
"meta": {
|
|
"external_id": "S0236",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0236",
|
|
"https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia"
|
|
],
|
|
"synonyms": [
|
|
"Kwampirs"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c2417bab-3189-4d4d-9d60-96de2cdaf0ab",
|
|
"value": "Kwampirs - S0236"
|
|
},
|
|
{
|
|
"description": "[Siloscape](https://attack.mitre.org/software/S0623) is malware that targets Kubernetes clusters through Windows containers. [Siloscape](https://attack.mitre.org/software/S0623) was first observed in March 2021.(Citation: Unit 42 Siloscape Jun 2021)",
|
|
"meta": {
|
|
"external_id": "S0623",
|
|
"mitre_platforms": [
|
|
"Windows",
|
|
"Containers"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0623",
|
|
"https://unit42.paloaltonetworks.com/siloscape/"
|
|
],
|
|
"synonyms": [
|
|
"Siloscape"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4a5b7ade-8bb5-4853-84ed-23f262002665",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7b50a1d3-4ca7-45d1-989d-a6503f04bfe1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4fbd565b-bf55-4ac7-80b4-b183a7b64b9c",
|
|
"value": "Siloscape - S0623"
|
|
},
|
|
{
|
|
"description": "[GravityRAT](https://attack.mitre.org/software/S0237) is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are \"TheMartian\" and \"The Invincible.\" According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India. (Citation: Talos GravityRAT)",
|
|
"meta": {
|
|
"external_id": "S0237",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0237",
|
|
"https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html"
|
|
],
|
|
"synonyms": [
|
|
"GravityRAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "1d1fce2f-0db5-402b-9843-4278a0694637",
|
|
"value": "GravityRAT - S0237"
|
|
},
|
|
{
|
|
"description": "[LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)",
|
|
"meta": {
|
|
"external_id": "S0372",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0372",
|
|
"https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/",
|
|
"https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/"
|
|
],
|
|
"synonyms": [
|
|
"LockerGoga"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5af7a825-2d9f-400d-931a-e00eb9e27f48",
|
|
"value": "LockerGoga - S0372"
|
|
},
|
|
{
|
|
"description": "[Socksbot](https://attack.mitre.org/software/S0273) is a backdoor that abuses Socket Secure (SOCKS) proxies. (Citation: TrendMicro Patchwork Dec 2017)",
|
|
"meta": {
|
|
"external_id": "S0273",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0273",
|
|
"https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Socksbot"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e494ad79-37ee-4cd0-866b-299c521d8b94",
|
|
"value": "Socksbot - S0273"
|
|
},
|
|
{
|
|
"description": "[Skygofree](https://attack.mitre.org/software/S0327) is Android spyware that is believed to have been developed in 2014 and used through at least 2017. (Citation: Kaspersky-Skygofree)",
|
|
"meta": {
|
|
"external_id": "S0327",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0327",
|
|
"https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"
|
|
],
|
|
"synonyms": [
|
|
"Skygofree"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "3a913bac-4fae-4d0e-bca8-cae452f1599b",
|
|
"value": "Skygofree - S0327"
|
|
},
|
|
{
|
|
"description": "[jRAT](https://attack.mitre.org/software/S0283) is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of [jRAT](https://attack.mitre.org/software/S0283) have been distributed via a software-as-a-service platform, similar to an online subscription model.(Citation: Kaspersky Adwind Feb 2016) (Citation: jRAT Symantec Aug 2018)",
|
|
"meta": {
|
|
"external_id": "S0283",
|
|
"mitre_platforms": [
|
|
"Linux",
|
|
"Windows",
|
|
"macOS",
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0283",
|
|
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf",
|
|
"https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools",
|
|
"https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques"
|
|
],
|
|
"synonyms": [
|
|
"jRAT",
|
|
"JSocket",
|
|
"AlienSpy",
|
|
"Frutas",
|
|
"Sockrat",
|
|
"Unrecom",
|
|
"jFrutas",
|
|
"Adwind",
|
|
"jBiFrost",
|
|
"Trojan.Maljava"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "efece7e8-e40b-49c2-9f84-c55c5c93d05c",
|
|
"value": "jRAT - S0283"
|
|
},
|
|
{
|
|
"description": "[ServHelper](https://attack.mitre.org/software/S0382) is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.(Citation: Proofpoint TA505 Jan 2019)",
|
|
"meta": {
|
|
"external_id": "S0382",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0382",
|
|
"https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505"
|
|
],
|
|
"synonyms": [
|
|
"ServHelper"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "635cbe30-392d-4e27-978e-66774357c762",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "aae22730-e571-4d17-b037-65f2a3e26213",
|
|
"value": "ServHelper - S0382"
|
|
},
|
|
{
|
|
"description": "[Proxysvc](https://attack.mitre.org/software/S0238) is a malicious DLL used by [Lazarus Group](https://attack.mitre.org/groups/G0032) in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of [Proxysvc](https://attack.mitre.org/software/S0238) is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. (Citation: McAfee GhostSecret)",
|
|
"meta": {
|
|
"external_id": "S0238",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0238",
|
|
"https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/"
|
|
],
|
|
"synonyms": [
|
|
"Proxysvc"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "069af411-9b24-4e85-b26c-623d035bbe84",
|
|
"value": "Proxysvc - S0238"
|
|
},
|
|
{
|
|
"description": "[BrainTest](https://attack.mitre.org/software/S0293) is a family of Android malware. (Citation: CheckPoint-BrainTest) (Citation: Lookout-BrainTest)",
|
|
"meta": {
|
|
"external_id": "S0293",
|
|
"refs": [
|
|
"http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/",
|
|
"https://attack.mitre.org/software/S0293",
|
|
"https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e",
|
|
"value": "BrainTest - S0293"
|
|
},
|
|
{
|
|
"description": "[Bankshot](https://attack.mitre.org/software/S0239) is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, [Lazarus Group](https://attack.mitre.org/groups/G0032) used the [Bankshot](https://attack.mitre.org/software/S0239) implant in attacks against the Turkish financial sector. (Citation: McAfee Bankshot)",
|
|
"meta": {
|
|
"external_id": "S0239",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0239",
|
|
"https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/"
|
|
],
|
|
"synonyms": [
|
|
"Bankshot",
|
|
"Trojan Manuscript"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "1f6e3702-7ca1-4582-b2e7-4591297d05a8",
|
|
"value": "Bankshot - S0239"
|
|
},
|
|
{
|
|
"description": "[Tangelo](https://attack.mitre.org/software/S0329) is iOS malware that is believed to be from the same developers as the [Stealth Mango](https://attack.mitre.org/software/S0328) Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices. (Citation: Lookout-StealthMango)",
|
|
"meta": {
|
|
"external_id": "S0329",
|
|
"mitre_platforms": [
|
|
"iOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0329",
|
|
"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Tangelo"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "35aae10a-97c5-471a-9c67-02c231a7a31a",
|
|
"value": "Tangelo - S0329"
|
|
},
|
|
{
|
|
"description": "[VBShower](https://attack.mitre.org/software/S0442) is a backdoor that has been used by [Inception](https://attack.mitre.org/groups/G0100) since at least 2019. [VBShower](https://attack.mitre.org/software/S0442) has been used as a downloader for second stage payloads, including [PowerShower](https://attack.mitre.org/software/S0441).(Citation: Kaspersky Cloud Atlas August 2019)",
|
|
"meta": {
|
|
"external_id": "S0442",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0442",
|
|
"https://securelist.com/recent-cloud-atlas-activity/92016/"
|
|
],
|
|
"synonyms": [
|
|
"VBShower"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8caa18af-4758-4fd3-9600-e8af579e89ed",
|
|
"value": "VBShower - S0442"
|
|
},
|
|
{
|
|
"description": "[Comnie](https://attack.mitre.org/software/S0244) is a remote backdoor which has been used in attacks in East Asia. (Citation: Palo Alto Comnie)",
|
|
"meta": {
|
|
"external_id": "S0244",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0244",
|
|
"https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/"
|
|
],
|
|
"synonyms": [
|
|
"Comnie"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f4c80d39-ce10-4f74-9b50-a7e3f5df1f2e",
|
|
"value": "Comnie - S0244"
|
|
},
|
|
{
|
|
"description": "[Triada](https://attack.mitre.org/software/S0424) was first reported in 2016 as a second stage malware. Later versions in 2019 appeared with new techniques and as an initial downloader of other Trojan apps.(Citation: Kaspersky Triada March 2016)",
|
|
"meta": {
|
|
"external_id": "S0424",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0424",
|
|
"https://www.kaspersky.com/blog/triada-trojan/11481/"
|
|
],
|
|
"synonyms": [
|
|
"Triada"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9558a84e-2d5e-4872-918e-d847494a8ffc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f082fc59-0317-49cf-971f-a1b6296ebb52",
|
|
"value": "Triada - S0424"
|
|
},
|
|
{
|
|
"description": "[BADCALL](https://attack.mitre.org/software/S0245) is a Trojan malware variant used by the group [Lazarus Group](https://attack.mitre.org/groups/G0032). (Citation: US-CERT BADCALL)",
|
|
"meta": {
|
|
"external_id": "S0245",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0245",
|
|
"https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF"
|
|
],
|
|
"synonyms": [
|
|
"BADCALL"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "9dbdadb6-fdbf-490f-a35f-38762d06a0d2",
|
|
"value": "BADCALL - S0245"
|
|
},
|
|
{
|
|
"description": "[PLAINTEE](https://attack.mitre.org/software/S0254) is a malware sample that has been used by [Rancor](https://attack.mitre.org/groups/G0075) in targeted attacks in Singapore and Cambodia. (Citation: Rancor Unit42 June 2018)",
|
|
"meta": {
|
|
"external_id": "S0254",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0254",
|
|
"https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/"
|
|
],
|
|
"synonyms": [
|
|
"PLAINTEE"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b",
|
|
"value": "PLAINTEE - S0254"
|
|
},
|
|
{
|
|
"description": "[USBferry](https://attack.mitre.org/software/S0452) is an information stealing malware and has been used by [Tropic Trooper](https://attack.mitre.org/groups/G0081) in targeted attacks against Taiwanese and Philippine air-gapped military environments. [USBferry](https://attack.mitre.org/software/S0452) shares an overlapping codebase with [YAHOYAH](https://attack.mitre.org/software/S0388), though it has several features which makes it a distinct piece of malware.(Citation: TrendMicro Tropic Trooper May 2020)",
|
|
"meta": {
|
|
"external_id": "S0452",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0452",
|
|
"https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf"
|
|
],
|
|
"synonyms": [
|
|
"USBferry"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "75bba379-4ba1-467e-8c60-ec2b269ee984",
|
|
"value": "USBferry - S0452"
|
|
},
|
|
{
|
|
"description": "[CARROTBAT](https://attack.mitre.org/software/S0462) is a customized dropper that has been in use since at least 2017. [CARROTBAT](https://attack.mitre.org/software/S0462) has been used to install [SYSCON](https://attack.mitre.org/software/S0464) and has infrastructure overlap with [KONNI](https://attack.mitre.org/software/S0356).(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020)",
|
|
"meta": {
|
|
"external_id": "S0462",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0462",
|
|
"https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/",
|
|
"https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/"
|
|
],
|
|
"synonyms": [
|
|
"CARROTBAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "1b9f0800-035e-4ed1-9648-b18294cc5bc8",
|
|
"value": "CARROTBAT - S0462"
|
|
},
|
|
{
|
|
"description": "[HARDRAIN](https://attack.mitre.org/software/S0246) is a Trojan malware variant reportedly used by the North Korean government. (Citation: US-CERT HARDRAIN March 2018)",
|
|
"meta": {
|
|
"external_id": "S0246",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0246",
|
|
"https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf"
|
|
],
|
|
"synonyms": [
|
|
"HARDRAIN"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "bd0536d7-b081-43ae-a773-cfb057c5b988",
|
|
"value": "HARDRAIN - S0246"
|
|
},
|
|
{
|
|
"description": "[BADFLICK](https://attack.mitre.org/software/S0642) is a backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065) in spearphishing campaigns first reported in 2018 that targeted the U.S. engineering and maritime industries.(Citation: FireEye Periscope March 2018)(Citation: Accenture MUDCARP March 2019)",
|
|
"meta": {
|
|
"external_id": "S0642",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0642",
|
|
"https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies",
|
|
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"
|
|
],
|
|
"synonyms": [
|
|
"BADFLICK"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "57d83eac-a2ea-42b0-a7b2-c80c55157790",
|
|
"value": "BADFLICK - S0642"
|
|
},
|
|
{
|
|
"description": "[OopsIE](https://attack.mitre.org/software/S0264) is a Trojan used by [OilRig](https://attack.mitre.org/groups/G0049) to remotely execute commands as well as upload/download files to/from victims. (Citation: Unit 42 OopsIE! Feb 2018)",
|
|
"meta": {
|
|
"external_id": "S0264",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0264",
|
|
"https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/",
|
|
"https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/"
|
|
],
|
|
"synonyms": [
|
|
"OopsIE"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8e101fdd-9f7f-4916-bb04-6bd9e94c129c",
|
|
"value": "OopsIE - S0264"
|
|
},
|
|
{
|
|
"description": "[Ecipekac](https://attack.mitre.org/software/S0624) is a multi-layer loader that has been used by [menuPass](https://attack.mitre.org/groups/G0045) since at least 2019 including use as a loader for [P8RAT](https://attack.mitre.org/software/S0626), [SodaMaster](https://attack.mitre.org/software/S0627), and [FYAnti](https://attack.mitre.org/software/S0628).(Citation: Securelist APT10 March 2021)",
|
|
"meta": {
|
|
"external_id": "S0624",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0624",
|
|
"https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/"
|
|
],
|
|
"synonyms": [
|
|
"Ecipekac",
|
|
"HEAVYHAND",
|
|
"SigLoader",
|
|
"DESLoader"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "292eb0c5-b8e8-4af6-9e8f-0fda6b4528d3",
|
|
"value": "Ecipekac - S0624"
|
|
},
|
|
{
|
|
"description": "[NavRAT](https://attack.mitre.org/software/S0247) is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. (Citation: Talos NavRAT May 2018)",
|
|
"meta": {
|
|
"external_id": "S0247",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0247",
|
|
"https://blog.talosintelligence.com/2018/05/navrat.html"
|
|
],
|
|
"synonyms": [
|
|
"NavRAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "53a42597-1974-4b8e-84fd-3675e8992053",
|
|
"value": "NavRAT - S0247"
|
|
},
|
|
{
|
|
"description": "[Calisto](https://attack.mitre.org/software/S0274) is a macOS Trojan that opens a backdoor on the compromised machine. [Calisto](https://attack.mitre.org/software/S0274) is believed to have first been developed in 2016. (Citation: Securelist Calisto July 2018) (Citation: Symantec Calisto July 2018)",
|
|
"meta": {
|
|
"external_id": "S0274",
|
|
"mitre_platforms": [
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0274",
|
|
"https://securelist.com/calisto-trojan-for-macos/86543/",
|
|
"https://web.archive.org/web/20190111082249/https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days"
|
|
],
|
|
"synonyms": [
|
|
"Calisto"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1eaebf46-e361-4437-bc23-d5d65a3b92e3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "635cbe30-392d-4e27-978e-66774357c762",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "810aa4ad-61c9-49cb-993f-daa06199421d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b8fdef82-d2cf-4948-8949-6466357b1be1",
|
|
"value": "Calisto - S0274"
|
|
},
|
|
{
|
|
"description": "[TrickMo](https://attack.mitre.org/software/S0427) a 2FA bypass mobile banking trojan, most likely being distributed by [TrickBot](https://attack.mitre.org/software/S0266). [TrickMo](https://attack.mitre.org/software/S0427) has been primarily targeting users located in Germany.(Citation: SecurityIntelligence TrickMo)\n\n[TrickMo](https://attack.mitre.org/software/S0427) is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.(Citation: SecurityIntelligence TrickMo) ",
|
|
"meta": {
|
|
"external_id": "S0427",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0427",
|
|
"https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"
|
|
],
|
|
"synonyms": [
|
|
"TrickMo"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "acf8fd2a-dc98-43b4-8d37-64e10728e591",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "21170624-89db-4e99-bf27-58d26be07c3a",
|
|
"value": "TrickMo - S0427"
|
|
},
|
|
{
|
|
"description": " [down_new](https://attack.mitre.org/software/S0472) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)",
|
|
"meta": {
|
|
"external_id": "S0472",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0472",
|
|
"https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf"
|
|
],
|
|
"synonyms": [
|
|
"down_new"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8be7c69e-d8e3-4970-9668-61de08e508cc",
|
|
"value": "down_new - S0472"
|
|
},
|
|
{
|
|
"description": "[PoetRAT](https://attack.mitre.org/software/S0428) is a remote access trojan (RAT) that was first identified in April 2020. [PoetRAT](https://attack.mitre.org/software/S0428) has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector. The STIBNITE activity group has been observed using the malware. [PoetRAT](https://attack.mitre.org/software/S0428) derived its name from references in the code to poet William Shakespeare. (Citation: Talos PoetRAT April 2020)(Citation: Talos PoetRAT October 2020)(Citation: Dragos Threat Report 2020)",
|
|
"meta": {
|
|
"external_id": "S0428",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0428",
|
|
"https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html",
|
|
"https://blog.talosintelligence.com/2020/10/poetrat-update.html",
|
|
"https://hub.dragos.com/hubfs/Year-in-Review/Dragos_2020_ICS_Cybersecurity_Year_In_Review.pdf?hsCtaTracking=159c0fc3-92d8-425d-aeb8-12824f2297e8%7Cf163726d-579b-4996-9a04-44e5a124d770"
|
|
],
|
|
"synonyms": [
|
|
"PoetRAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "cc5497f7-a9e8-436f-94da-b2b4a9b9ad3c",
|
|
"value": "PoetRAT - S0428"
|
|
},
|
|
{
|
|
"description": "[Bundlore](https://attack.mitre.org/software/S0482) is adware written for macOS that has been in use since at least 2015. Though categorized as adware, [Bundlore](https://attack.mitre.org/software/S0482) has many features associated with more traditional backdoors.(Citation: MacKeeper Bundlore Apr 2019)",
|
|
"meta": {
|
|
"external_id": "S0482",
|
|
"mitre_platforms": [
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0482",
|
|
"https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/"
|
|
],
|
|
"synonyms": [
|
|
"Bundlore",
|
|
"OSX.Bundlore"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6b57dc31-b814-4a03-8706-28bc20d739c4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "7bef1b56-4870-4e74-b32a-7dd88c390c44",
|
|
"value": "Bundlore - S0482"
|
|
},
|
|
{
|
|
"description": "[More_eggs](https://attack.mitre.org/software/S0284) is a JScript backdoor used by [Cobalt Group](https://attack.mitre.org/groups/G0080) and [FIN6](https://attack.mitre.org/groups/G0037). Its name was given based on the variable \"More_eggs\" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. (Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019)",
|
|
"meta": {
|
|
"external_id": "S0284",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0284",
|
|
"https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html",
|
|
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
|
|
"https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/",
|
|
"https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf",
|
|
"https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/"
|
|
],
|
|
"synonyms": [
|
|
"More_eggs",
|
|
"SKID",
|
|
"Terra Loader",
|
|
"SpicyOmelette"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "bfd2738c-8b43-43c3-bc9f-d523c8e88bf4",
|
|
"value": "More_eggs - S0284"
|
|
},
|
|
{
|
|
"description": "[yty](https://attack.mitre.org/software/S0248) is a modular, plugin-based malware framework. The components of the framework are written in a variety of programming languages. (Citation: ASERT Donot March 2018)",
|
|
"meta": {
|
|
"external_id": "S0248",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0248",
|
|
"https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/"
|
|
],
|
|
"synonyms": [
|
|
"yty"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "0817aaf2-afea-4c32-9285-4dcd1df5bf14",
|
|
"value": "yty - S0248"
|
|
},
|
|
{
|
|
"description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is an auto-rooting adware family of malware for Android. The family is very similar to the other Android families known as Shedun, Shuanet, Kemoge, though it is not believed all the families were created by the same group. (Citation: Lookout-Adware)",
|
|
"meta": {
|
|
"external_id": "S0294",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0294",
|
|
"https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0c769e82-df28-4f65-97f5-7f3d88488f2e",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0c769e82-df28-4f65-97f5-7f3d88488f2e",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
},
|
|
{
|
|
"dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c80a6bef-b3ce-44d0-b113-946e93124898",
|
|
"value": "ShiftyBug - S0294"
|
|
},
|
|
{
|
|
"description": "[CookieMiner](https://attack.mitre.org/software/S0492) is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.(Citation: Unit42 CookieMiner Jan 2019)",
|
|
"meta": {
|
|
"external_id": "S0492",
|
|
"mitre_platforms": [
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0492",
|
|
"https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/"
|
|
],
|
|
"synonyms": [
|
|
"CookieMiner"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "eedc01d5-95e6-4d21-bcd4-1121b1df4586",
|
|
"value": "CookieMiner - S0492"
|
|
},
|
|
{
|
|
"description": "[Pay2Key](https://attack.mitre.org/software/S0556) is a ransomware written in C++ that has been used by [Fox Kitten](https://attack.mitre.org/groups/G0117) since at least July 2020 including campaigns against Israeli companies. [Pay2Key](https://attack.mitre.org/software/S0556) has been incorporated with a leak site to display stolen sensitive information to further pressure victims into payment.(Citation: ClearkSky Fox Kitten February 2020)(Citation: Check Point Pay2Key November 2020)",
|
|
"meta": {
|
|
"external_id": "S0556",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0556",
|
|
"https://research.checkpoint.com/2020/ransomware-alert-pay2key/",
|
|
"https://www.clearskysec.com/fox-kitten/"
|
|
],
|
|
"synonyms": [
|
|
"Pay2Key"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "77ca1aa3-280c-4b67-abaa-e8fb891a8f83",
|
|
"value": "Pay2Key - S0556"
|
|
},
|
|
{
|
|
"description": "[DDKONG](https://attack.mitre.org/software/S0255) is a malware sample that was part of a campaign by [Rancor](https://attack.mitre.org/groups/G0075). [DDKONG](https://attack.mitre.org/software/S0255) was first seen used in February 2017. (Citation: Rancor Unit42 June 2018)",
|
|
"meta": {
|
|
"external_id": "S0255",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0255",
|
|
"https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb",
|
|
"value": "DDKONG - S0255"
|
|
},
|
|
{
|
|
"description": "[MarkiRAT](https://attack.mitre.org/software/S0652) is a remote access Trojan (RAT) compiled with Visual Studio that has been used by [Ferocious Kitten](https://attack.mitre.org/groups/G0137) since at least 2015.(Citation: Kaspersky Ferocious Kitten Jun 2021)",
|
|
"meta": {
|
|
"external_id": "S0652",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0652",
|
|
"https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/"
|
|
],
|
|
"synonyms": [
|
|
"MarkiRAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "532c6004-b1e8-415b-9516-f7c14ba783b1",
|
|
"value": "MarkiRAT - S0652"
|
|
},
|
|
{
|
|
"description": "\n[Cuba](https://attack.mitre.org/software/S0625) is a Windows-based ransomware family that has been used against financial institutions, technology, and logistics organizations in North and South America as well as Europe since at least December 2019.(Citation: McAfee Cuba April 2021)",
|
|
"meta": {
|
|
"external_id": "S0625",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0625",
|
|
"https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Cuba"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "6cd07296-14aa-403d-9229-6343d03d4752",
|
|
"value": "Cuba - S0625"
|
|
},
|
|
{
|
|
"description": "[KGH_SPY](https://attack.mitre.org/software/S0526) is a modular suite of tools used by [Kimsuky](https://attack.mitre.org/groups/G0094) for reconnaissance, information stealing, and backdoor capabilities. [KGH_SPY](https://attack.mitre.org/software/S0526) derived its name from PDB paths and internal names found in samples containing \"KGH\".(Citation: Cybereason Kimsuky November 2020)",
|
|
"meta": {
|
|
"external_id": "S0526",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0526",
|
|
"https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite"
|
|
],
|
|
"synonyms": [
|
|
"KGH_SPY"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8bdfe255-e658-4ddd-a11c-b854762e451d",
|
|
"value": "KGH_SPY - S0526"
|
|
},
|
|
{
|
|
"description": "[Kazuar](https://attack.mitre.org/software/S0265) is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. (Citation: Unit 42 Kazuar May 2017)",
|
|
"meta": {
|
|
"external_id": "S0265",
|
|
"mitre_platforms": [
|
|
"Windows",
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0265",
|
|
"https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/"
|
|
],
|
|
"synonyms": [
|
|
"Kazuar"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "536be338-e2ef-4a6b-afb6-8d5568b91eb2",
|
|
"value": "Kazuar - S0265"
|
|
},
|
|
{
|
|
"description": "[Mosquito](https://attack.mitre.org/software/S0256) is a Win32 backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010). [Mosquito](https://attack.mitre.org/software/S0256) is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. (Citation: ESET Turla Mosquito Jan 2018)",
|
|
"meta": {
|
|
"external_id": "S0256",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0256",
|
|
"https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Mosquito"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "92b55426-109f-4d93-899f-1833ce91ff90",
|
|
"value": "Mosquito - S0256"
|
|
},
|
|
{
|
|
"description": "[SUNSPOT](https://attack.mitre.org/software/S0562) is an implant that injected the [SUNBURST](https://attack.mitre.org/software/S0559) backdoor into the SolarWinds Orion software update framework. It was used by [APT29](https://attack.mitre.org/groups/G0016) since at least February 2020.(Citation: CrowdStrike SUNSPOT Implant January 2021) ",
|
|
"meta": {
|
|
"external_id": "S0562",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0562",
|
|
"https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/"
|
|
],
|
|
"synonyms": [
|
|
"SUNSPOT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "bf48e7f8-752c-4ce8-bf8f-748edacd8fa6",
|
|
"value": "SUNSPOT - S0562"
|
|
},
|
|
{
|
|
"description": "[UPPERCUT](https://attack.mitre.org/software/S0275) is a backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045). (Citation: FireEye APT10 Sept 2018)",
|
|
"meta": {
|
|
"external_id": "S0275",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0275",
|
|
"https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html"
|
|
],
|
|
"synonyms": [
|
|
"UPPERCUT",
|
|
"ANEL"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa",
|
|
"value": "UPPERCUT - S0275"
|
|
},
|
|
{
|
|
"description": "[VERMIN](https://attack.mitre.org/software/S0257) is a remote access tool written in the Microsoft .NET framework. It is mostly composed of original code, but also has some open source code. (Citation: Unit 42 VERMIN Jan 2018)",
|
|
"meta": {
|
|
"external_id": "S0257",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0257",
|
|
"https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/"
|
|
],
|
|
"synonyms": [
|
|
"VERMIN"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5189f018-fea2-45d7-b0ed-23f9ee0a46f3",
|
|
"value": "VERMIN - S0257"
|
|
},
|
|
{
|
|
"description": "[LookBack](https://attack.mitre.org/software/S0582) is a remote access trojan written in C++ that was used against at least three US utility companies in July 2019. The TALONITE activity group has been observed using [LookBack](https://attack.mitre.org/software/S0582).(Citation: Proofpoint LookBack Malware Aug 2019)(Citation: Dragos TALONITE)(Citation: Dragos Threat Report 2020)",
|
|
"meta": {
|
|
"external_id": "S0582",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0582",
|
|
"https://hub.dragos.com/hubfs/Year-in-Review/Dragos_2020_ICS_Cybersecurity_Year_In_Review.pdf?hsCtaTracking=159c0fc3-92d8-425d-aeb8-12824f2297e8%7Cf163726d-579b-4996-9a04-44e5a124d770",
|
|
"https://www.dragos.com/threat/talonite/",
|
|
"https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks"
|
|
],
|
|
"synonyms": [
|
|
"LookBack"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c9ccc4df-1f56-49e7-ad57-b383e1451688",
|
|
"value": "LookBack - S0582"
|
|
},
|
|
{
|
|
"description": "[OldBoot](https://attack.mitre.org/software/S0285) is an Android malware family. (Citation: HackerNews-OldBoot)",
|
|
"meta": {
|
|
"external_id": "S0285",
|
|
"refs": [
|
|
"http://thehackernews.com/2014/01/first-widely-distributed-android.html",
|
|
"https://attack.mitre.org/software/S0285"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "2074b2ad-612e-4758-adce-7901c1b49bbc",
|
|
"value": "OldBoot - S0285"
|
|
},
|
|
{
|
|
"description": "[RGDoor](https://attack.mitre.org/software/S0258) is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. [RGDoor](https://attack.mitre.org/software/S0258) has been seen deployed on webservers belonging to the Middle East government organizations. [RGDoor](https://attack.mitre.org/software/S0258) provides backdoor access to compromised IIS servers. (Citation: Unit 42 RGDoor Jan 2018)",
|
|
"meta": {
|
|
"external_id": "S0258",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0258",
|
|
"https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/"
|
|
],
|
|
"synonyms": [
|
|
"RGDoor"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b9eec47e-98f4-4b3c-b574-3fa8a87ebe05",
|
|
"value": "RGDoor - S0258"
|
|
},
|
|
{
|
|
"description": "[Javali](https://attack.mitre.org/software/S0528) is a banking trojan that has targeted Portuguese and Spanish-speaking countries since 2017, primarily focusing on customers of financial institutions in Brazil and Mexico.(Citation: Securelist Brazilian Banking Malware July 2020)",
|
|
"meta": {
|
|
"external_id": "S0528",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0528",
|
|
"https://securelist.com/the-tetrade-brazilian-banking-malware/97779/"
|
|
],
|
|
"synonyms": [
|
|
"Javali"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "64122557-5940-4271-9123-25bfc0c693db",
|
|
"value": "Javali - S0528"
|
|
},
|
|
{
|
|
"description": "[RCSAndroid](https://attack.mitre.org/software/S0295) is Android malware. (Citation: TrendMicro-RCSAndroid)",
|
|
"meta": {
|
|
"external_id": "S0295",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/",
|
|
"https://attack.mitre.org/software/S0295"
|
|
],
|
|
"synonyms": [
|
|
"RCSAndroid"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
|
|
"value": "RCSAndroid - S0295"
|
|
},
|
|
{
|
|
"description": "[InnaputRAT](https://attack.mitre.org/software/S0259) is a remote access tool that can exfiltrate files from a victim\u2019s machine. [InnaputRAT](https://attack.mitre.org/software/S0259) has been seen out in the wild since 2016. (Citation: ASERT InnaputRAT April 2018)",
|
|
"meta": {
|
|
"external_id": "S0259",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/",
|
|
"https://attack.mitre.org/software/S0259"
|
|
],
|
|
"synonyms": [
|
|
"InnaputRAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c8b6cc43-ce61-42ae-87f3-a5f10526f952",
|
|
"value": "InnaputRAT - S0259"
|
|
},
|
|
{
|
|
"description": "[CarbonSteal](https://attack.mitre.org/software/S0529) is one of a family of four surveillanceware tools that share a common C2 infrastructure. [CarbonSteal](https://attack.mitre.org/software/S0529) primarily deals with audio surveillance. (Citation: Lookout Uyghur Campaign)",
|
|
"meta": {
|
|
"external_id": "S0529",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0529",
|
|
"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
|
|
],
|
|
"synonyms": [
|
|
"CarbonSteal"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "52eff1c7-dd30-4121-b762-24ae6fa61bbb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "007ebf84-4e14-44c7-a5aa-151d5de85320",
|
|
"value": "CarbonSteal - S0529"
|
|
},
|
|
{
|
|
"description": "[P8RAT](https://attack.mitre.org/software/S0626) is a fileless malware used by [menuPass](https://attack.mitre.org/groups/G0045) to download and execute payloads since at least 2020.(Citation: Securelist APT10 March 2021)",
|
|
"meta": {
|
|
"external_id": "S0626",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0626",
|
|
"https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/"
|
|
],
|
|
"synonyms": [
|
|
"P8RAT",
|
|
"HEAVYPOT",
|
|
"GreetCake"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "7c58fff0-d206-4db1-96b1-e3a9e0e320b9",
|
|
"value": "P8RAT - S0626"
|
|
},
|
|
{
|
|
"description": "[TrickBot](https://attack.mitre.org/software/S0266) is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to [Dyre](https://attack.mitre.org/software/S0024). [TrickBot](https://attack.mitre.org/software/S0266) was developed and initially used by [Wizard Spider](https://attack.mitre.org/groups/G0102) for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of \"big game hunting\" ransomware campaigns.(Citation: S2 Grupo TrickBot June 2017)(Citation: Fidelis TrickBot Oct 2016)(Citation: IBM TrickBot Nov 2016)(Citation: CrowdStrike Wizard Spider October 2020)",
|
|
"meta": {
|
|
"external_id": "S0266",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0266",
|
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/",
|
|
"https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/",
|
|
"https://www.crowdstrike.com/blog/wizard-spider-adversary-update/",
|
|
"https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre",
|
|
"https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Totbrick",
|
|
"https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf",
|
|
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_trickload.n"
|
|
],
|
|
"synonyms": [
|
|
"TrickBot",
|
|
"Totbrick",
|
|
"TSPY_TRICKLOAD"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01327cde-66c4-4123-bf34-5f258d59457b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bc31b94-045b-4752-8920-aebaebdb6470",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5bb433e-bdf6-4781-84bc-35e97e43be89",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "00806466-754d-44ea-ad6f-0caf59cb8556",
|
|
"value": "TrickBot - S0266"
|
|
},
|
|
{
|
|
"description": "[RCSession](https://attack.mitre.org/software/S0662) is a backdoor written in C++ that has been in use since at least 2018 by [Mustang Panda](https://attack.mitre.org/groups/G0129) and by [Threat Group-3390](https://attack.mitre.org/groups/G0027) (Type II Backdoor).(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Trend Micro Iron Tiger April 2021)(Citation: Trend Micro DRBControl February 2020)",
|
|
"meta": {
|
|
"external_id": "S0662",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0662",
|
|
"https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf",
|
|
"https://www.secureworks.com/research/bronze-president-targets-ngos",
|
|
"https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html"
|
|
],
|
|
"synonyms": [
|
|
"RCSession"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "03acae53-9b98-46f6-b204-16b930839055",
|
|
"value": "RCSession - S0662"
|
|
},
|
|
{
|
|
"description": "[FELIXROOT](https://attack.mitre.org/software/S0267) is a backdoor that has been used to target Ukrainian victims. (Citation: FireEye FELIXROOT July 2018)",
|
|
"meta": {
|
|
"external_id": "S0267",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0267",
|
|
"https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html",
|
|
"https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf"
|
|
],
|
|
"synonyms": [
|
|
"FELIXROOT",
|
|
"GreyEnergy mini"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "cf8df906-179c-4a78-bd6e-6605e30f6624",
|
|
"value": "FELIXROOT - S0267"
|
|
},
|
|
{
|
|
"description": "This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor (Citation: OSX Keydnap malware).",
|
|
"meta": {
|
|
"external_id": "S0276",
|
|
"mitre_platforms": [
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0276",
|
|
"https://www.synack.com/2017/01/01/mac-malware-2016/",
|
|
"https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/"
|
|
],
|
|
"synonyms": [
|
|
"Keydnap",
|
|
"OSX/Keydnap"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1a80d097-54df-41d8-9d33-34e755ec5e72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b22e5153-ac28-4cc6-865c-2054e36285cb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e51137a5-1cdc-499e-911a-abaedaa5ac86",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4b072c90-bc7a-432b-940e-016fc1c01761",
|
|
"value": "Keydnap - S0276"
|
|
},
|
|
{
|
|
"description": "[SodaMaster](https://attack.mitre.org/software/S0627) is a fileless malware used by [menuPass](https://attack.mitre.org/groups/G0045) to download and execute payloads since at least 2020.(Citation: Securelist APT10 March 2021)",
|
|
"meta": {
|
|
"external_id": "S0627",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0627",
|
|
"https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/"
|
|
],
|
|
"synonyms": [
|
|
"SodaMaster",
|
|
"DARKTOWN",
|
|
"dfls",
|
|
"DelfsCake"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "94d6d788-07bb-4dcc-b62f-e02626b00108",
|
|
"value": "SodaMaster - S0627"
|
|
},
|
|
{
|
|
"description": "[Zox](https://attack.mitre.org/software/S0672) is a remote access tool that has been used by [Axiom](https://attack.mitre.org/groups/G0001) since at least 2008.(Citation: Novetta-Axiom)",
|
|
"meta": {
|
|
"external_id": "S0672",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0672",
|
|
"https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Zox",
|
|
"Gresim",
|
|
"ZoxRPC",
|
|
"ZoxPNG"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "fb28627c-d6ea-4c35-b138-ab5e96ae5445",
|
|
"value": "Zox - S0672"
|
|
},
|
|
{
|
|
"description": "OBAD is an Android malware family. (Citation: TrendMicro-Obad)",
|
|
"meta": {
|
|
"external_id": "S0286",
|
|
"refs": [
|
|
"http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/",
|
|
"https://attack.mitre.org/software/S0286"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "ca4f63b9-a358-4214-bb26-8c912318cfde",
|
|
"value": "OBAD - S0286"
|
|
},
|
|
{
|
|
"description": "[FYAnti](https://attack.mitre.org/software/S0628) is a loader that has been used by [menuPass](https://attack.mitre.org/groups/G0045) since at least 2020, including to deploy [QuasarRAT](https://attack.mitre.org/software/S0262).(Citation: Securelist APT10 March 2021)",
|
|
"meta": {
|
|
"external_id": "S0628",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0628",
|
|
"https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/"
|
|
],
|
|
"synonyms": [
|
|
"FYAnti",
|
|
"DILLJUICE stage2"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "434ba392-ebdc-488b-b1ef-518deea65774",
|
|
"value": "FYAnti - S0628"
|
|
},
|
|
{
|
|
"description": "[TrailBlazer](https://attack.mitre.org/software/S0682) is a modular malware that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2019.(Citation: CrowdStrike StellarParticle January 2022)",
|
|
"meta": {
|
|
"external_id": "S0682",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0682",
|
|
"https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/"
|
|
],
|
|
"synonyms": [
|
|
"TrailBlazer"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "bdad6f3b-de88-42fa-9295-d29b5271808e",
|
|
"value": "TrailBlazer - S0682"
|
|
},
|
|
{
|
|
"description": "[Bisonal](https://attack.mitre.org/software/S0268) is a remote access tool (RAT) that has been used by [Tonto Team](https://attack.mitre.org/groups/G0131) against public and private sector organizations in Russia, South Korea, and Japan since at least December 2010.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020)",
|
|
"meta": {
|
|
"external_id": "S0268",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0268",
|
|
"https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html",
|
|
"https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/"
|
|
],
|
|
"synonyms": [
|
|
"Bisonal"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "65ffc206-d7c1-45b3-b543-f6b726e7840d",
|
|
"value": "Bisonal - S0268"
|
|
},
|
|
{
|
|
"description": "[QUADAGENT](https://attack.mitre.org/software/S0269) is a PowerShell backdoor used by [OilRig](https://attack.mitre.org/groups/G0049). (Citation: Unit 42 QUADAGENT July 2018)",
|
|
"meta": {
|
|
"external_id": "S0269",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0269",
|
|
"https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/"
|
|
],
|
|
"synonyms": [
|
|
"QUADAGENT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77",
|
|
"value": "QUADAGENT - S0269"
|
|
},
|
|
{
|
|
"description": "[RainyDay](https://attack.mitre.org/software/S0629) is a backdoor tool that has been used by [Naikon](https://attack.mitre.org/groups/G0019) since at least 2020.(Citation: Bitdefender Naikon April 2021)",
|
|
"meta": {
|
|
"external_id": "S0629",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0629",
|
|
"https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf"
|
|
],
|
|
"synonyms": [
|
|
"RainyDay"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "29231689-5837-4a7a-aafc-1b65b3f50cc7",
|
|
"value": "RainyDay - S0629"
|
|
},
|
|
{
|
|
"description": "FruitFly is designed to spy on mac users (Citation: objsee mac malware 2017).",
|
|
"meta": {
|
|
"external_id": "S0277",
|
|
"mitre_platforms": [
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0277",
|
|
"https://objective-see.com/blog/blog_0x25.html"
|
|
],
|
|
"synonyms": [
|
|
"FruitFly"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4a98e44a-bd52-461e-af1e-a4457de87a36",
|
|
"value": "FruitFly - S0277"
|
|
},
|
|
{
|
|
"description": "[ZergHelper](https://attack.mitre.org/software/S0287) is iOS riskware that was unique due to its apparent evasion of Apple's App Store review process. No malicious functionality was identified in the app, but it presents security risks. (Citation: Xiao-ZergHelper)",
|
|
"meta": {
|
|
"external_id": "S0287",
|
|
"refs": [
|
|
"http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/",
|
|
"https://attack.mitre.org/software/S0287"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b765efd1-02e6-4e67-aebf-0fef5c37e54b",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "3c3b55a6-c3e9-4043-8aae-283fe96220c0",
|
|
"value": "ZergHelper - S0287"
|
|
},
|
|
{
|
|
"description": "[iKitten](https://attack.mitre.org/software/S0278) is a macOS exfiltration agent (Citation: objsee mac malware 2017).",
|
|
"meta": {
|
|
"external_id": "S0278",
|
|
"mitre_platforms": [
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0278",
|
|
"https://objective-see.com/blog/blog_0x25.html"
|
|
],
|
|
"synonyms": [
|
|
"iKitten",
|
|
"OSX/MacDownloader"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1eaebf46-e361-4437-bc23-d5d65a3b92e3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "2cfe8a26-5be7-4a09-8915-ea3d9e787513",
|
|
"value": "iKitten - S0278"
|
|
},
|
|
{
|
|
"description": "[XcodeGhost](https://attack.mitre.org/software/S0297) is iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users. (Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)",
|
|
"meta": {
|
|
"external_id": "S0297",
|
|
"refs": [
|
|
"http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/",
|
|
"http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/",
|
|
"https://attack.mitre.org/software/S0297"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "d9e07aea-baad-4b68-bdca-90c77647d7f9",
|
|
"value": "XcodeGhost - S0297"
|
|
},
|
|
{
|
|
"description": "[Proton](https://attack.mitre.org/software/S0279) is a macOS backdoor focusing on data theft and credential access (Citation: objsee mac malware 2017).",
|
|
"meta": {
|
|
"external_id": "S0279",
|
|
"mitre_platforms": [
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0279",
|
|
"https://objective-see.com/blog/blog_0x25.html"
|
|
],
|
|
"synonyms": [
|
|
"Proton"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01327cde-66c4-4123-bf34-5f258d59457b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1eaebf46-e361-4437-bc23-d5d65a3b92e3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c541efb4-e7b1-4ad6-9da8-b4e113f5dd42",
|
|
"value": "Proton - S0279"
|
|
},
|
|
{
|
|
"description": "[KeyRaider](https://attack.mitre.org/software/S0288) is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. (Citation: Xiao-KeyRaider)",
|
|
"meta": {
|
|
"external_id": "S0288",
|
|
"refs": [
|
|
"http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/",
|
|
"https://attack.mitre.org/software/S0288"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "08e22979-d320-48ed-8711-e7bf94aabb13",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50",
|
|
"value": "KeyRaider - S0288"
|
|
},
|
|
{
|
|
"description": "[NotCompatible](https://attack.mitre.org/software/S0299) is an Android malware family that was used between at least 2014 and 2016. It has multiple variants that have become more sophisticated over time. (Citation: Lookout-NotCompatible)",
|
|
"meta": {
|
|
"external_id": "S0299",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0299",
|
|
"https://blog.lookout.com/blog/2014/11/19/notcompatible/"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"almost-certain\""
|
|
],
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "23040c15-e7d8-47b5-8c16-8fd3e0e297fe",
|
|
"value": "NotCompatible - S0299"
|
|
},
|
|
{
|
|
"description": "[UBoatRAT](https://attack.mitre.org/software/S0333) is a remote access tool that was identified in May 2017.(Citation: PaloAlto UBoatRAT Nov 2017)",
|
|
"meta": {
|
|
"external_id": "S0333",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0333",
|
|
"https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/"
|
|
],
|
|
"synonyms": [
|
|
"UBoatRAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "518bb5f1-91f4-4ff2-b09d-5a94e1ebe95f",
|
|
"value": "UBoatRAT - S0333"
|
|
},
|
|
{
|
|
"description": "[DarkComet](https://attack.mitre.org/software/S0334) is a Windows remote administration tool and backdoor.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018)",
|
|
"meta": {
|
|
"external_id": "S0334",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0334",
|
|
"https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/",
|
|
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET"
|
|
],
|
|
"synonyms": [
|
|
"DarkComet",
|
|
"DarkKomet",
|
|
"Fynloski",
|
|
"Krademok",
|
|
"FYNLOS"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "53ab35c2-d00e-491a-8753-41d35ae7e547",
|
|
"value": "DarkComet - S0334"
|
|
},
|
|
{
|
|
"description": "[Rifdoor](https://attack.mitre.org/software/S0433) is a remote access trojan (RAT) that shares numerous code similarities with [HotCroissant](https://attack.mitre.org/software/S0431).(Citation: Carbon Black HotCroissant April 2020)",
|
|
"meta": {
|
|
"external_id": "S0433",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0433",
|
|
"https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/"
|
|
],
|
|
"synonyms": [
|
|
"Rifdoor"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "44c75271-0e4d-496f-ae0a-a6d883a42a65",
|
|
"value": "Rifdoor - S0433"
|
|
},
|
|
{
|
|
"description": "[SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) is a remote access Trojan written in C++ that has been used by an unidentified \"sophisticated cyber actor\" since at least January 2017.(Citation: CISA MAR SLOTHFULMEDIA October 2020)(Citation: Costin Raiu IAmTheKing October 2020) It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.(Citation: USCYBERCOM SLOTHFULMEDIA October 2020)(Citation: Kaspersky IAmTheKing October 2020) \n\nIn October 2020, Kaspersky Labs assessed [SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) is part of an activity cluster it refers to as \"IAmTheKing\".(Citation: Kaspersky IAmTheKing October 2020) ESET also noted code similarity between [SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) and droppers used by a group it refers to as \"PowerPool\".(Citation: ESET PowerPool Code October 2020) ",
|
|
"meta": {
|
|
"external_id": "S0533",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0533",
|
|
"https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/",
|
|
"https://twitter.com/CNMF_CyberAlert/status/1311743710997159953",
|
|
"https://twitter.com/ESETresearch/status/1311762215490461696",
|
|
"https://twitter.com/craiu/status/1311920398259367942",
|
|
"https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a"
|
|
],
|
|
"synonyms": [
|
|
"SLOTHFULMEDIA",
|
|
"JackOfHearts",
|
|
"QueenOfClubs"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "feb2d7bb-aacb-48df-ad04-ccf41a30cd90",
|
|
"value": "SLOTHFULMEDIA - S0533"
|
|
},
|
|
{
|
|
"description": "[Carbon](https://attack.mitre.org/software/S0335) is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. [Carbon](https://attack.mitre.org/software/S0335) has been selectively used by [Turla](https://attack.mitre.org/groups/G0010) to target government and foreign affairs-related organizations in Central Asia.(Citation: ESET Carbon Mar 2017)(Citation: Securelist Turla Oct 2018)",
|
|
"meta": {
|
|
"external_id": "S0335",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0335",
|
|
"https://securelist.com/shedding-skin-turlas-fresh-faces/88069/",
|
|
"https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/"
|
|
],
|
|
"synonyms": [
|
|
"Carbon"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b7e9880a-7a7c-4162-bddb-e28e8ef2bf1f",
|
|
"value": "Carbon - S0335"
|
|
},
|
|
{
|
|
"description": "[NOKKI](https://attack.mitre.org/software/S0353) is a modular remote access tool. The earliest observed attack using [NOKKI](https://attack.mitre.org/software/S0353) was in January 2018. [NOKKI](https://attack.mitre.org/software/S0353) has significant code overlap with the [KONNI](https://attack.mitre.org/software/S0356) malware family. There is some evidence potentially linking [NOKKI](https://attack.mitre.org/software/S0353) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)",
|
|
"meta": {
|
|
"external_id": "S0353",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0353",
|
|
"https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/",
|
|
"https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/"
|
|
],
|
|
"synonyms": [
|
|
"NOKKI"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "071d5d65-83ec-4a55-acfa-be7d5f28ba9a",
|
|
"value": "NOKKI - S0353"
|
|
},
|
|
{
|
|
"description": "[NanoCore](https://attack.mitre.org/software/S0336) is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013.(Citation: DigiTrust NanoCore Jan 2017)(Citation: Cofense NanoCore Mar 2018)(Citation: PaloAlto NanoCore Feb 2016)(Citation: Unit 42 Gorgon Group Aug 2018)",
|
|
"meta": {
|
|
"external_id": "S0336",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0336",
|
|
"https://cofense.com/nanocore-rat-resurfaced-sewers/",
|
|
"https://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/",
|
|
"https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/",
|
|
"https://www.digitrustgroup.com/nanocore-not-your-average-rat/"
|
|
],
|
|
"synonyms": [
|
|
"NanoCore"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676",
|
|
"value": "NanoCore - S0336"
|
|
},
|
|
{
|
|
"description": "[Astaroth](https://attack.mitre.org/software/S0373) is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. (Citation: Cybereason Astaroth Feb 2019)(Citation: Cofense Astaroth Sept 2018)(Citation: Securelist Brazilian Banking Malware July 2020)",
|
|
"meta": {
|
|
"external_id": "S0373",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0373",
|
|
"https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/",
|
|
"https://securelist.com/the-tetrade-brazilian-banking-malware/97779/",
|
|
"https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research"
|
|
],
|
|
"synonyms": [
|
|
"Astaroth",
|
|
"Guildma"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "edb24a93-1f7a-4bbf-a738-1397a14662c6",
|
|
"value": "Astaroth - S0373"
|
|
},
|
|
{
|
|
"description": "[BadPatch](https://attack.mitre.org/software/S0337) is a Windows Trojan that was used in a Gaza Hackers-linked campaign.(Citation: Unit 42 BadPatch Oct 2017)",
|
|
"meta": {
|
|
"external_id": "S0337",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0337",
|
|
"https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/"
|
|
],
|
|
"synonyms": [
|
|
"BadPatch"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "9af05de0-bc09-4511-a350-5eb8b06185c1",
|
|
"value": "BadPatch - S0337"
|
|
},
|
|
{
|
|
"description": "[FlawedGrace](https://attack.mitre.org/software/S0383) is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.(Citation: Proofpoint TA505 Jan 2019)",
|
|
"meta": {
|
|
"external_id": "S0383",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0383",
|
|
"https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505"
|
|
],
|
|
"synonyms": [
|
|
"FlawedGrace"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "43155329-3edf-47a6-9a14-7dac899b01e4",
|
|
"value": "FlawedGrace - S0383"
|
|
},
|
|
{
|
|
"description": "[Micropsia](https://attack.mitre.org/software/S0339) is a remote access tool written in Delphi.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)",
|
|
"meta": {
|
|
"external_id": "S0339",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0339",
|
|
"https://blog.radware.com/security/2018/07/micropsia-malware/",
|
|
"https://blog.talosintelligence.com/2017/06/palestine-delphi.html"
|
|
],
|
|
"synonyms": [
|
|
"Micropsia"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8c050cea-86e1-4b63-bf21-7af4fa483349",
|
|
"value": "Micropsia - S0339"
|
|
},
|
|
{
|
|
"description": "[PowerStallion](https://attack.mitre.org/software/S0393) is a lightweight [PowerShell](https://attack.mitre.org/techniques/T1059/001) backdoor used by [Turla](https://attack.mitre.org/groups/G0010), possibly as a recovery access tool to install other backdoors.(Citation: ESET Turla PowerShell May 2019)",
|
|
"meta": {
|
|
"external_id": "S0393",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0393",
|
|
"https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/"
|
|
],
|
|
"synonyms": [
|
|
"PowerStallion"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "dcac85c1-6485-4790-84f6-de5e6f6b91dd",
|
|
"value": "PowerStallion - S0393"
|
|
},
|
|
{
|
|
"description": "[MESSAGETAP](https://attack.mitre.org/software/S0443) is a data mining malware family deployed by [APT41](https://attack.mitre.org/groups/G0096) into telecommunications networks to monitor and save SMS traffic from specific phone numbers, IMSI numbers, or that contain specific keywords. (Citation: FireEye MESSAGETAP October 2019)",
|
|
"meta": {
|
|
"external_id": "S0443",
|
|
"mitre_platforms": [
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0443",
|
|
"https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html"
|
|
],
|
|
"synonyms": [
|
|
"MESSAGETAP"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "9b19d6b4-cfcb-492f-8ca8-8449e7331573",
|
|
"value": "MESSAGETAP - S0443"
|
|
},
|
|
{
|
|
"description": "[Azorult](https://attack.mitre.org/software/S0344) is a commercial Trojan that is used to steal information from compromised hosts. [Azorult](https://attack.mitre.org/software/S0344) has been observed in the wild as early as 2016.\nIn July 2018, [Azorult](https://attack.mitre.org/software/S0344) was seen used in a spearphishing campaign against targets in North America. [Azorult](https://attack.mitre.org/software/S0344) has been seen used for cryptocurrency theft. (Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)",
|
|
"meta": {
|
|
"external_id": "S0344",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0344",
|
|
"https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/",
|
|
"https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside"
|
|
],
|
|
"synonyms": [
|
|
"Azorult"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f9b05f33-d45d-4e4d-aafe-c208d38a0080",
|
|
"value": "Azorult - S0344"
|
|
},
|
|
{
|
|
"description": "[PLEAD](https://attack.mitre.org/software/S0435) is a remote access tool (RAT) and downloader used by [BlackTech](https://attack.mitre.org/groups/G0098) in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.(Citation: TrendMicro BlackTech June 2017)(Citation: JPCert PLEAD Downloader June 2018) [PLEAD](https://attack.mitre.org/software/S0435) has also been referred to as [TSCookie](https://attack.mitre.org/software/S0436), though more recent reporting indicates likely separation between the two. [PLEAD](https://attack.mitre.org/software/S0435) was observed in use as early as March 2017.(Citation: JPCert TSCookie March 2018)(Citation: JPCert PLEAD Downloader June 2018)",
|
|
"meta": {
|
|
"external_id": "S0435",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0435",
|
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/",
|
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/plead-targeted-attacks-against-taiwanese-government-agencies-2/",
|
|
"https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html"
|
|
],
|
|
"synonyms": [
|
|
"PLEAD"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b57f419e-8b12-49d3-886b-145383725dcd",
|
|
"value": "PLEAD - S0435"
|
|
},
|
|
{
|
|
"description": "[Bazar](https://attack.mitre.org/software/S0534) is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. [Bazar](https://attack.mitre.org/software/S0534) reportedly has ties to [TrickBot](https://attack.mitre.org/software/S0266) campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.(Citation: Cybereason Bazar July 2020)",
|
|
"meta": {
|
|
"external_id": "S0534",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0534",
|
|
"https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/",
|
|
"https://www.crowdstrike.com/blog/wizard-spider-adversary-update/",
|
|
"https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles",
|
|
"https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html"
|
|
],
|
|
"synonyms": [
|
|
"Bazar",
|
|
"KEGTAP",
|
|
"Team9"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ea4c2f9c-9df1-477c-8c42-6da1118f2ac4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "99fdf3b4-96ef-4ab9-b191-fc683441cad0",
|
|
"value": "Bazar - S0534"
|
|
},
|
|
{
|
|
"description": "[Denis](https://attack.mitre.org/software/S0354) is a Windows backdoor and Trojan used by [APT32](https://attack.mitre.org/groups/G0050). [Denis](https://attack.mitre.org/software/S0354) shares several similarities to the [SOUNDBITE](https://attack.mitre.org/software/S0157) backdoor and has been used in conjunction with the [Goopy](https://attack.mitre.org/software/S0477) backdoor.(Citation: Cybereason Oceanlotus May 2017)",
|
|
"meta": {
|
|
"external_id": "S0354",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0354",
|
|
"https://www.cybereason.com/blog/operation-cobalt-kitty-apt"
|
|
],
|
|
"synonyms": [
|
|
"Denis"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f25aab1a-0cef-4910-a85d-bb38b32ea41a",
|
|
"value": "Denis - S0354"
|
|
},
|
|
{
|
|
"description": "[Pony](https://attack.mitre.org/software/S0453) is a credential stealing malware, though has also been used among adversaries for its downloader capabilities. The source code for Pony Loader 1.0 and 2.0 were leaked online, leading to their use by various threat actors.(Citation: Malwarebytes Pony April 2016)",
|
|
"meta": {
|
|
"external_id": "S0453",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0453",
|
|
"https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/"
|
|
],
|
|
"synonyms": [
|
|
"Pony"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "222ba512-32d9-49ac-aefd-50ce981ce2ce",
|
|
"value": "Pony - S0453"
|
|
},
|
|
{
|
|
"description": "[Seasalt](https://attack.mitre.org/software/S0345) is malware that has been linked to [APT1](https://attack.mitre.org/groups/G0006)'s 2010 operations. It shares some code similarities with [OceanSalt](https://attack.mitre.org/software/S0346).(Citation: Mandiant APT1 Appendix)(Citation: McAfee Oceansalt Oct 2018)",
|
|
"meta": {
|
|
"external_id": "S0345",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0345",
|
|
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip",
|
|
"https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Seasalt"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b45747dc-87ca-4597-a245-7e16a61bc491",
|
|
"value": "Seasalt - S0345"
|
|
},
|
|
{
|
|
"description": "\n[Spark](https://attack.mitre.org/software/S0543) is a Windows backdoor and has been in use since as early as 2017.(Citation: Unit42 Molerat Mar 2020) ",
|
|
"meta": {
|
|
"external_id": "S0543",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0543",
|
|
"https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/"
|
|
],
|
|
"synonyms": [
|
|
"Spark"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "91541e7e-b969-40c6-bbd8-1b5352ec2938",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "03ea629c-517a-41e3-94f8-c7e5368cf8f4",
|
|
"value": "Spark - S0543"
|
|
},
|
|
{
|
|
"description": "[INSOMNIA](https://attack.mitre.org/software/S0463) is spyware that has been used by the group Evil Eye.(Citation: Volexity Insomnia)",
|
|
"meta": {
|
|
"external_id": "S0463",
|
|
"mitre_platforms": [
|
|
"iOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0463",
|
|
"https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/"
|
|
],
|
|
"synonyms": [
|
|
"INSOMNIA"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8605a0ec-b44a-4e98-a7fc-87d4bd3acb66",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "948a447c-d783-4ba0-8516-a64140fcacd5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
|
|
"value": "INSOMNIA - S0463"
|
|
},
|
|
{
|
|
"description": "[TSCookie](https://attack.mitre.org/software/S0436) is a remote access tool (RAT) that has been used by [BlackTech](https://attack.mitre.org/groups/G0098) in campaigns against Japanese targets.(Citation: JPCert TSCookie March 2018)(Citation: JPCert BlackTech Malware September 2019). [TSCookie](https://attack.mitre.org/software/S0436) has been referred to as [PLEAD](https://attack.mitre.org/software/S0435) though more recent reporting indicates a separation between the two.(Citation: JPCert PLEAD Downloader June 2018)(Citation: JPCert BlackTech Malware September 2019)",
|
|
"meta": {
|
|
"external_id": "S0436",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0436",
|
|
"https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html",
|
|
"https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html"
|
|
],
|
|
"synonyms": [
|
|
"TSCookie"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "76ac7989-c5cc-42e2-93e3-d6c476f01ace",
|
|
"value": "TSCookie - S0436"
|
|
},
|
|
{
|
|
"description": "[EnvyScout](https://attack.mitre.org/software/S0634) is a dropper that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)",
|
|
"meta": {
|
|
"external_id": "S0634",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0634",
|
|
"https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
|
|
],
|
|
"synonyms": [
|
|
"EnvyScout"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4dc46e3-5ba5-45b9-8204-010867cacfcb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "2f8229dc-da94-41c6-89ba-b5b6c32f6b7d",
|
|
"value": "EnvyScout - S0634"
|
|
},
|
|
{
|
|
"description": "[OceanSalt](https://attack.mitre.org/software/S0346) is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. [OceanSalt](https://attack.mitre.org/software/S0346) shares code similarity with [SpyNote RAT](https://attack.mitre.org/software/S0305), which has been linked to [APT1](https://attack.mitre.org/groups/G0006).(Citation: McAfee Oceansalt Oct 2018)",
|
|
"meta": {
|
|
"external_id": "S0346",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0346",
|
|
"https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf"
|
|
],
|
|
"synonyms": [
|
|
"OceanSalt"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "288fa242-e894-4c7e-ac86-856deedf5cea",
|
|
"value": "OceanSalt - S0346"
|
|
},
|
|
{
|
|
"description": "[Peppy](https://attack.mitre.org/software/S0643) is a Python-based remote access Trojan, active since at least 2012, with similarities to [Crimson](https://attack.mitre.org/software/S0115).(Citation: Proofpoint Operation Transparent Tribe March 2016)",
|
|
"meta": {
|
|
"external_id": "S0643",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0643",
|
|
"https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Peppy"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "6c2550d5-a01a-4bbb-a004-6ead348ba623",
|
|
"value": "Peppy - S0643"
|
|
},
|
|
{
|
|
"description": "[AuditCred](https://attack.mitre.org/software/S0347) is a malicious DLL that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) during their 2018 attacks.(Citation: TrendMicro Lazarus Nov 2018)",
|
|
"meta": {
|
|
"external_id": "S0347",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0347",
|
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/"
|
|
],
|
|
"synonyms": [
|
|
"AuditCred",
|
|
"Roptimizer"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "24b4ce59-eaac-4c8b-8634-9b093b7ccd92",
|
|
"value": "AuditCred - S0347"
|
|
},
|
|
{
|
|
"description": "[Avenger](https://attack.mitre.org/software/S0473) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)",
|
|
"meta": {
|
|
"external_id": "S0473",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0473",
|
|
"https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Avenger"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "36ede314-7db4-4d09-b53d-81bbfbe5f6f8",
|
|
"value": "Avenger - S0473"
|
|
},
|
|
{
|
|
"description": "[Kivars](https://attack.mitre.org/software/S0437) is a modular remote access tool (RAT), derived from the Bifrost RAT, that was used by [BlackTech](https://attack.mitre.org/groups/G0098) in a 2010 campaign.(Citation: TrendMicro BlackTech June 2017)",
|
|
"meta": {
|
|
"external_id": "S0437",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0437",
|
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/"
|
|
],
|
|
"synonyms": [
|
|
"Kivars"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b2d134a1-7bd5-4293-94d4-8fc978cb1cd7",
|
|
"value": "Kivars - S0437"
|
|
},
|
|
{
|
|
"description": "[SpeakUp](https://attack.mitre.org/software/S0374) is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. (Citation: CheckPoint SpeakUp Feb 2019)",
|
|
"meta": {
|
|
"external_id": "S0374",
|
|
"mitre_platforms": [
|
|
"Linux",
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0374",
|
|
"https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/"
|
|
],
|
|
"synonyms": [
|
|
"SpeakUp"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a5575606-9b85-4e3d-9cd2-40ef30e3672d",
|
|
"value": "SpeakUp - S0374"
|
|
},
|
|
{
|
|
"description": "[Attor](https://attack.mitre.org/software/S0438) is a Windows-based espionage platform that has been seen in use since 2013. [Attor](https://attack.mitre.org/software/S0438) has a loadable plugin architecture to customize functionality for specific targets.(Citation: ESET Attor Oct 2019)",
|
|
"meta": {
|
|
"external_id": "S0438",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0438",
|
|
"https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Attor"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8f423bd7-6ca7-4303-9e85-008c7ad5fdaa",
|
|
"value": "Attor - S0438"
|
|
},
|
|
{
|
|
"description": "[IcedID](https://attack.mitre.org/software/S0483) is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. [IcedID](https://attack.mitre.org/software/S0483) has been downloaded by [Emotet](https://attack.mitre.org/software/S0367) in multiple campaigns.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020)",
|
|
"meta": {
|
|
"external_id": "S0483",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0483",
|
|
"https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware",
|
|
"https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/"
|
|
],
|
|
"synonyms": [
|
|
"IcedID"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5147ef15-1cae-4707-8ea1-bee8d98b7f1d",
|
|
"value": "IcedID - S0483"
|
|
},
|
|
{
|
|
"description": "[Dridex](https://attack.mitre.org/software/S0384) is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated [Dridex](https://attack.mitre.org/software/S0384) had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. [Dridex](https://attack.mitre.org/software/S0384) was created from the source code of the Bugat banking Trojan (also known as Cridex).(Citation: Dell Dridex Oct 2015)(Citation: Kaspersky Dridex May 2017)(Citation: Treasury EvilCorp Dec 2019)",
|
|
"meta": {
|
|
"external_id": "S0384",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0384",
|
|
"https://home.treasury.gov/news/press-releases/sm845",
|
|
"https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/",
|
|
"https://securelist.com/dridex-a-history-of-evolution/78531/",
|
|
"https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation"
|
|
],
|
|
"synonyms": [
|
|
"Dridex",
|
|
"Bugat v5"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f01e2711-4b48-4192-a2e8-5f56c945ca19",
|
|
"value": "Dridex - S0384"
|
|
},
|
|
{
|
|
"description": "[GoldenSpy](https://attack.mitre.org/software/S0493) is a backdoor malware which has been packaged with legitimate tax preparation software. [GoldenSpy](https://attack.mitre.org/software/S0493) was discovered targeting organizations in China, being delivered with the \"Intelligent Tax\" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.(Citation: Trustwave GoldenSpy June 2020) ",
|
|
"meta": {
|
|
"external_id": "S0493",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0493",
|
|
"https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/"
|
|
],
|
|
"synonyms": [
|
|
"GoldenSpy"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "635cbe30-392d-4e27-978e-66774357c762",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b9704a7d-feef-4af9-8898-5280f1686326",
|
|
"value": "GoldenSpy - S0493"
|
|
},
|
|
{
|
|
"description": "[HiddenWasp](https://attack.mitre.org/software/S0394) is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.(Citation: Intezer HiddenWasp Map 2019)",
|
|
"meta": {
|
|
"external_id": "S0394",
|
|
"mitre_platforms": [
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0394",
|
|
"https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/"
|
|
],
|
|
"synonyms": [
|
|
"HiddenWasp"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "635cbe30-392d-4e27-978e-66774357c762",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "fc774af4-533b-4724-96d2-ac1026316794",
|
|
"value": "HiddenWasp - S0394"
|
|
},
|
|
{
|
|
"description": "[Okrum](https://attack.mitre.org/software/S0439) is a Windows backdoor that has been seen in use since December 2016 with strong links to [Ke3chang](https://attack.mitre.org/groups/G0004).(Citation: ESET Okrum July 2019)",
|
|
"meta": {
|
|
"external_id": "S0439",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0439",
|
|
"https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Okrum"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "91541e7e-b969-40c6-bbd8-1b5352ec2938",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4b6ec280-7bbb-48ff-ae59-b189520ebe83",
|
|
"value": "Okrum - S0439"
|
|
},
|
|
{
|
|
"description": "[MoleNet](https://attack.mitre.org/software/S0553) is a downloader tool with backdoor capabilities that has been observed in use since at least 2019.(Citation: Cybereason Molerats Dec 2020)",
|
|
"meta": {
|
|
"external_id": "S0553",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0553",
|
|
"https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf"
|
|
],
|
|
"synonyms": [
|
|
"MoleNet"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8a59f456-79a0-4151-9f56-9b1a67332af2",
|
|
"value": "MoleNet - S0553"
|
|
},
|
|
{
|
|
"description": "[BoomBox](https://attack.mitre.org/software/S0635) is a downloader responsible for executing next stage components that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)",
|
|
"meta": {
|
|
"external_id": "S0635",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0635",
|
|
"https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
|
|
],
|
|
"synonyms": [
|
|
"BoomBox"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bc31b94-045b-4752-8920-aebaebdb6470",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c26f1c05-b861-4970-94dc-2f7f921a3074",
|
|
"value": "BoomBox - S0635"
|
|
},
|
|
{
|
|
"description": "[xCaon](https://attack.mitre.org/software/S0653) is an HTTP variant of the [BoxCaon](https://attack.mitre.org/software/S0651) malware family that has used by [IndigoZebra](https://attack.mitre.org/groups/G0136) since at least 2014. [xCaon](https://attack.mitre.org/software/S0653) has been used to target political entities in Central Asia, including Kyrgyzstan and Uzbekistan.(Citation: Checkpoint IndigoZebra July 2021)(Citation: Securelist APT Trends Q2 2017)",
|
|
"meta": {
|
|
"external_id": "S0653",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0653",
|
|
"https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/",
|
|
"https://securelist.com/apt-trends-report-q2-2017/79332/"
|
|
],
|
|
"synonyms": [
|
|
"xCaon"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "21583311-6321-4891-8a37-3eb4e57b0fb1",
|
|
"value": "xCaon - S0653"
|
|
},
|
|
{
|
|
"description": "[GPlayed](https://attack.mitre.org/software/S0536) is an Android trojan with a broad range of capabilities.(Citation: Talos GPlayed) ",
|
|
"meta": {
|
|
"external_id": "S0536",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0536",
|
|
"https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"
|
|
],
|
|
"synonyms": [
|
|
"GPlayed"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "00290ac5-551e-44aa-bbd8-c4b913488a6d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9c049d7b-c92a-4733-9381-27e2bd2ccadc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eb6cf439-1bcb-4d10-bc68-1eed844ed7b3",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a993495c-9813-4372-b9ec-d168c7f7ec0a",
|
|
"value": "GPlayed - S0536"
|
|
},
|
|
{
|
|
"description": "[KONNI](https://attack.mitre.org/software/S0356) is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. [KONNI](https://attack.mitre.org/software/S0356) has significant code overlap with the [NOKKI](https://attack.mitre.org/software/S0353) malware family, and has been linked to several suspected North Korean campaigns targeting political organizations in Russia, East Asia, Europe and the Middle East; there is some evidence potentially linking [KONNI](https://attack.mitre.org/software/S0356) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Talos Konni May 2017)(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021)",
|
|
"meta": {
|
|
"external_id": "S0356",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0356",
|
|
"https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/",
|
|
"https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html",
|
|
"https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b",
|
|
"https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/",
|
|
"https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/"
|
|
],
|
|
"synonyms": [
|
|
"KONNI"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "86b92f6c-9c05-4c51-b361-4c7bb13e21a1",
|
|
"value": "KONNI - S0356"
|
|
},
|
|
{
|
|
"description": "[HyperStack](https://attack.mitre.org/software/S0537) is a RPC-based backdoor used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2018. [HyperStack](https://attack.mitre.org/software/S0537) has similarities to other backdoors used by [Turla](https://attack.mitre.org/groups/G0010) including [Carbon](https://attack.mitre.org/software/S0335).(Citation: Accenture HyperStack October 2020)",
|
|
"meta": {
|
|
"external_id": "S0537",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0537",
|
|
"https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity"
|
|
],
|
|
"synonyms": [
|
|
"HyperStack"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "2cf7dec3-66fc-423f-b2c7-58f1de243b4e",
|
|
"value": "HyperStack - S0537"
|
|
},
|
|
{
|
|
"description": "[Remexi](https://attack.mitre.org/software/S0375) is a Windows-based Trojan that was developed in the C programming language.(Citation: Securelist Remexi Jan 2019)",
|
|
"meta": {
|
|
"external_id": "S0375",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0375",
|
|
"https://securelist.com/chafer-used-remexi-malware/89538/"
|
|
],
|
|
"synonyms": [
|
|
"Remexi"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "ecc2f65a-b452-4eaf-9689-7e181f17f7a5",
|
|
"value": "Remexi - S0375"
|
|
},
|
|
{
|
|
"description": "[njRAT](https://attack.mitre.org/software/S0385) is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.(Citation: Fidelis njRAT June 2013)",
|
|
"meta": {
|
|
"external_id": "S0385",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0385",
|
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/",
|
|
"https://www.fireeye.com/blog/threat-research/2013/08/njw0rm-brother-from-the-same-mother.html",
|
|
"https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf"
|
|
],
|
|
"synonyms": [
|
|
"njRAT",
|
|
"Njw0rm",
|
|
"LV",
|
|
"Bladabindi"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29ba5a15-3b7b-4732-b817-65ea8f6468e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945",
|
|
"value": "njRAT - S0385"
|
|
},
|
|
{
|
|
"description": "[Crutch](https://attack.mitre.org/software/S0538) is a backdoor designed for document theft that has been used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2015.(Citation: ESET Crutch December 2020)",
|
|
"meta": {
|
|
"external_id": "S0538",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0538",
|
|
"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"
|
|
],
|
|
"synonyms": [
|
|
"Crutch"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "925a6c52-5cf0-4fec-99de-b0d6917d8593",
|
|
"value": "Crutch - S0538"
|
|
},
|
|
{
|
|
"description": "[Pysa](https://attack.mitre.org/software/S0583) is a ransomware that was first used in October 2018 and has been seen to target particularly high-value finance, government and healthcare organizations.(Citation: CERT-FR PYSA April 2020)",
|
|
"meta": {
|
|
"external_id": "S0583",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0583",
|
|
"https://digital.nhs.uk/cyber-alerts/2020/cc-3633",
|
|
"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/",
|
|
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-003.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Pysa",
|
|
"Mespinoza"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a19c1197-9414-46e3-986f-0f609ff4a46b",
|
|
"value": "Pysa - S0583"
|
|
},
|
|
{
|
|
"description": "[ECCENTRICBANDWAGON](https://attack.mitre.org/software/S0593) is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool--with keylogging and screen capture functionality--used for information gathering on compromised systems.(Citation: CISA EB Aug 2020)",
|
|
"meta": {
|
|
"external_id": "S0593",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0593",
|
|
"https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a"
|
|
],
|
|
"synonyms": [
|
|
"ECCENTRICBANDWAGON"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e928333f-f3df-4039-9b8b-556c2add0e42",
|
|
"value": "ECCENTRICBANDWAGON - S0593"
|
|
},
|
|
{
|
|
"description": "[LightNeuron](https://attack.mitre.org/software/S0395) is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. [LightNeuron](https://attack.mitre.org/software/S0395) has been used by [Turla](https://attack.mitre.org/groups/G0010) to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of [LightNeuron](https://attack.mitre.org/software/S0395) exists.(Citation: ESET LightNeuron May 2019)",
|
|
"meta": {
|
|
"external_id": "S0395",
|
|
"mitre_platforms": [
|
|
"Windows",
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0395",
|
|
"https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf"
|
|
],
|
|
"synonyms": [
|
|
"LightNeuron"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb",
|
|
"value": "LightNeuron - S0395"
|
|
},
|
|
{
|
|
"description": "[WannaCry](https://attack.mitre.org/software/S0366) is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.(Citation: LogRhythm WannaCry)(Citation: US-CERT WannaCry 2017)(Citation: Washington Post WannaCry 2017)(Citation: FireEye WannaCry 2017)",
|
|
"meta": {
|
|
"external_id": "S0366",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0366",
|
|
"https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/",
|
|
"https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html",
|
|
"https://www.secureworks.com/research/wcry-ransomware-analysis",
|
|
"https://www.us-cert.gov/ncas/alerts/TA17-132A",
|
|
"https://www.washingtonpost.com/business/economy/more-than-150-countries-affected-by-massive-cyberattack-europol-says/2017/05/14/5091465e-3899-11e7-9e48-c4f199710b69_story.html?utm_term=.7fa16b41cad4"
|
|
],
|
|
"synonyms": [
|
|
"WannaCry",
|
|
"WanaCry",
|
|
"WanaCrypt",
|
|
"WanaCrypt0r",
|
|
"WCry"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0033c16-a07e-48aa-8204-7c3ca669998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661",
|
|
"value": "WannaCry - S0366"
|
|
},
|
|
{
|
|
"description": "[VaporRage](https://attack.mitre.org/software/S0636) is a shellcode downloader that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)",
|
|
"meta": {
|
|
"external_id": "S0636",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0636",
|
|
"https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
|
|
],
|
|
"synonyms": [
|
|
"VaporRage"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "96eca9b9-b37f-42f1-96dc-a2c441403194",
|
|
"value": "VaporRage - S0636"
|
|
},
|
|
{
|
|
"description": "[SysUpdate](https://attack.mitre.org/software/S0663) is a backdoor written in C++ that has been used by [Threat Group-3390](https://attack.mitre.org/groups/G0027) since at least 2020.(Citation: Trend Micro Iron Tiger April 2021)",
|
|
"meta": {
|
|
"external_id": "S0663",
|
|
"mitre_platforms": [
|
|
"Windows",
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0663",
|
|
"https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html"
|
|
],
|
|
"synonyms": [
|
|
"SysUpdate",
|
|
"HyperSSL",
|
|
"Soldier",
|
|
"FOCUSFJORD"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c009560a-f097-45a3-8f9f-78ec1440a783",
|
|
"value": "SysUpdate - S0663"
|
|
},
|
|
{
|
|
"description": "[DarkWatchman](https://attack.mitre.org/software/S0673) is a lightweight JavaScript-based remote access tool (RAT) that avoids file operations; it was first observed in November 2021.(Citation: Prevailion DarkWatchman 2021)",
|
|
"meta": {
|
|
"external_id": "S0673",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0673",
|
|
"https://www.prevailion.com/darkwatchman-new-fileless-techniques/"
|
|
],
|
|
"synonyms": [
|
|
"DarkWatchman"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "63686509-069b-4143-99ea-4e59cad6cb2a",
|
|
"value": "DarkWatchman - S0673"
|
|
},
|
|
{
|
|
"description": "[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and [IcedID](https://attack.mitre.org/software/S0483). Emotet first emerged in June 2014 and has been primarily used to target the banking sector. (Citation: Trend Micro Banking Malware Jan 2019)",
|
|
"meta": {
|
|
"external_id": "S0367",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0367",
|
|
"https://blog.talosintelligence.com/2019/01/return-of-emotet.html",
|
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/",
|
|
"https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf",
|
|
"https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/",
|
|
"https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/",
|
|
"https://support.malwarebytes.com/docs/DOC-2295",
|
|
"https://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/",
|
|
"https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/",
|
|
"https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html",
|
|
"https://www.secureworks.com/blog/lazy-passwords-become-rocket-fuel-for-emotet-smb-spreader",
|
|
"https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor",
|
|
"https://www.us-cert.gov/ncas/alerts/TA18-201A",
|
|
"https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/"
|
|
],
|
|
"synonyms": [
|
|
"Emotet",
|
|
"Geodo"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "494ab9f0-36e0-4b06-b10d-57285b040a06",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bc31b94-045b-4752-8920-aebaebdb6470",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "32066e94-3112-48ca-b9eb-ba2b59d2f023",
|
|
"value": "Emotet - S0367"
|
|
},
|
|
{
|
|
"description": "[HOPLIGHT](https://attack.mitre.org/software/S0376) is a backdoor Trojan that has reportedly been used by the North Korean government.(Citation: US-CERT HOPLIGHT Apr 2019)",
|
|
"meta": {
|
|
"external_id": "S0376",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0376",
|
|
"https://www.us-cert.gov/ncas/analysis-reports/AR19-100A"
|
|
],
|
|
"synonyms": [
|
|
"HOPLIGHT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "215d9700-5881-48b8-8265-6449dbb7195d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "454fe82d-6fd2-4ac6-91ab-28a33fe01369",
|
|
"value": "HOPLIGHT - S0376"
|
|
},
|
|
{
|
|
"description": "[NativeZone](https://attack.mitre.org/software/S0637) is the name given collectively to disposable custom [Cobalt Strike](https://attack.mitre.org/software/S0154) loaders used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)(Citation: SentinelOne NobleBaron June 2021)",
|
|
"meta": {
|
|
"external_id": "S0637",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0637",
|
|
"https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/",
|
|
"https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
|
|
],
|
|
"synonyms": [
|
|
"NativeZone"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b4783be3-35d9-4a56-ac8d-1f3e1c9d9a84",
|
|
"value": "NativeZone - S0637"
|
|
},
|
|
{
|
|
"description": "[Babuk](https://attack.mitre.org/software/S0638) is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of [Babuk](https://attack.mitre.org/software/S0638) employ a \"Big Game Hunting\" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: McAfee Babuk February 2021)(Citation: CyberScoop Babuk February 2021)",
|
|
"meta": {
|
|
"external_id": "S0638",
|
|
"mitre_platforms": [
|
|
"Windows",
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0638",
|
|
"https://www.cyberscoop.com/babuk-ransomware-serco-attack/",
|
|
"https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf",
|
|
"https://www.sogeti.com/globalassets/reports/cybersecchronicles_-_babuk.pdf",
|
|
"https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html"
|
|
],
|
|
"synonyms": [
|
|
"Babuk",
|
|
"Babyk",
|
|
"Vasa Locker"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "61c7a91a-0b83-461d-ad32-75d96eed4a09",
|
|
"value": "Babuk - S0638"
|
|
},
|
|
{
|
|
"description": "[NotPetya](https://attack.mitre.org/software/S0368) is malware that was used by [Sandworm Team](https://attack.mitre.org/groups/G0034) in a worldwide attack starting on June 27, 2017. While [NotPetya](https://attack.mitre.org/software/S0368) appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, [NotPetya](https://attack.mitre.org/software/S0368) may be more appropriately thought of as a form of wiper malware. [NotPetya](https://attack.mitre.org/software/S0368) contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: ESET Telebots June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)",
|
|
"meta": {
|
|
"external_id": "S0368",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0368",
|
|
"https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html",
|
|
"https://www.justice.gov/opa/press-release/file/1328521/download",
|
|
"https://www.us-cert.gov/ncas/alerts/TA17-181A",
|
|
"https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/"
|
|
],
|
|
"synonyms": [
|
|
"NotPetya",
|
|
"ExPetr",
|
|
"Diskcoder.C",
|
|
"GoldenEye",
|
|
"Petrwrap",
|
|
"Nyetya"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5719af9d-6b16-46f9-9b28-fb019541ddbb",
|
|
"value": "NotPetya - S0368"
|
|
},
|
|
{
|
|
"description": "[Ursnif](https://attack.mitre.org/software/S0386) is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)s, and malicious links.(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016) [Ursnif](https://attack.mitre.org/software/S0386) is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.(Citation: TrendMicro Ursnif Mar 2015)",
|
|
"meta": {
|
|
"external_id": "S0386",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0386",
|
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992",
|
|
"https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif",
|
|
"https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html",
|
|
"https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality"
|
|
],
|
|
"synonyms": [
|
|
"Ursnif",
|
|
"Gozi-ISFB",
|
|
"PE_URSNIF",
|
|
"Dreambot"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e49ee9d2-0d98-44ef-85e5-5d3100065744",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "1492d0f8-7e14-4af3-9239-bc3fe10d3407",
|
|
"value": "Ursnif - S0386"
|
|
},
|
|
{
|
|
"description": "[EvilBunny](https://attack.mitre.org/software/S0396) is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.(Citation: Cyphort EvilBunny Dec 2014)",
|
|
"meta": {
|
|
"external_id": "S0396",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0396",
|
|
"https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/"
|
|
],
|
|
"synonyms": [
|
|
"EvilBunny"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a8a778f5-0035-4870-bb25-53dc05029586",
|
|
"value": "EvilBunny - S0396"
|
|
},
|
|
{
|
|
"description": "[CoinTicker](https://attack.mitre.org/software/S0369) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019)",
|
|
"meta": {
|
|
"external_id": "S0369",
|
|
"mitre_platforms": [
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0369",
|
|
"https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/"
|
|
],
|
|
"synonyms": [
|
|
"CoinTicker"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "d1531eaa-9e17-473e-a680-3298469662c3",
|
|
"value": "CoinTicker - S0369"
|
|
},
|
|
{
|
|
"description": "[CaddyWiper](https://attack.mitre.org/software/S0693) is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022.(Citation: ESET CaddyWiper March 2022)(Citation: Cisco CaddyWiper March 2022)",
|
|
"meta": {
|
|
"external_id": "S0693",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0693",
|
|
"https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html",
|
|
"https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine"
|
|
],
|
|
"synonyms": [
|
|
"CaddyWiper"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b30d999d-64e0-4e35-9856-884e4b83d611",
|
|
"value": "CaddyWiper - S0693"
|
|
},
|
|
{
|
|
"description": "[Ebury](https://attack.mitre.org/software/S0377) is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).(Citation: ESET Ebury Feb 2014)(Citation: BleepingComputer Ebury March 2017)(Citation: ESET Ebury Oct 2017)",
|
|
"meta": {
|
|
"external_id": "S0377",
|
|
"mitre_platforms": [
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0377",
|
|
"https://www.bleepingcomputer.com/news/security/russian-hacker-pleads-guilty-for-role-in-infamous-linux-ebury-malware/",
|
|
"https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/",
|
|
"https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/"
|
|
],
|
|
"synonyms": [
|
|
"Ebury"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "d6b3fcd0-1c86-4350-96f0-965ed02fcc51",
|
|
"value": "Ebury - S0377"
|
|
},
|
|
{
|
|
"description": "[KeyBoy](https://attack.mitre.org/software/S0387) is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.(Citation: CitizenLab KeyBoy Nov 2016)(Citation: PWC KeyBoys Feb 2017)",
|
|
"meta": {
|
|
"external_id": "S0387",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0387",
|
|
"https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/",
|
|
"https://citizenlab.ca/2016/11/parliament-keyboy/",
|
|
"https://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html"
|
|
],
|
|
"synonyms": [
|
|
"KeyBoy"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5dd649c0-bca4-488b-bd85-b180474ec62e",
|
|
"value": "KeyBoy - S0387"
|
|
},
|
|
{
|
|
"description": "[LoJax](https://attack.mitre.org/software/S0397) is a UEFI rootkit used by [APT28](https://attack.mitre.org/groups/G0007) to persist remote access software on targeted systems.(Citation: ESET LoJax Sept 2018)",
|
|
"meta": {
|
|
"external_id": "S0397",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0397",
|
|
"https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf"
|
|
],
|
|
"synonyms": [
|
|
"LoJax"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "16ab6452-c3c1-497c-a47d-206018ca1ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b865dded-0553-4962-a44b-6fe7863effed",
|
|
"value": "LoJax - S0397"
|
|
},
|
|
{
|
|
"description": "[YAHOYAH](https://attack.mitre.org/software/S0388) is a Trojan used by [Tropic Trooper](https://attack.mitre.org/groups/G0081) as a second-stage backdoor.(Citation: TrendMicro TropicTrooper 2015)",
|
|
"meta": {
|
|
"external_id": "S0388",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0388",
|
|
"https://documents.trendmicro.com/assets/wp/wp-operation-tropic-trooper.pdf"
|
|
],
|
|
"synonyms": [
|
|
"YAHOYAH"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "cb444a16-3ea5-4a91-88c6-f329adcb8af3",
|
|
"value": "YAHOYAH - S0388"
|
|
},
|
|
{
|
|
"description": "[HyperBro](https://attack.mitre.org/software/S0398) is a custom in-memory backdoor used by [Threat Group-3390](https://attack.mitre.org/groups/G0027).(Citation: Unit42 Emissary Panda May 2019)(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)",
|
|
"meta": {
|
|
"external_id": "S0398",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0398",
|
|
"https://securelist.com/luckymouse-hits-national-data-center/86083/",
|
|
"https://thehackernews.com/2018/06/chinese-watering-hole-attack.html",
|
|
"https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/"
|
|
],
|
|
"synonyms": [
|
|
"HyperBro"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5e814485-012d-423d-b769-026bfed0f451",
|
|
"value": "HyperBro - S0398"
|
|
},
|
|
{
|
|
"description": "[JCry](https://attack.mitre.org/software/S0389) is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.(Citation: Carbon Black JCry May 2019)",
|
|
"meta": {
|
|
"external_id": "S0389",
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0389",
|
|
"https://www.carbonblack.com/2019/05/14/cb-tau-threat-intelligence-notification-jcry-ransomware-pretends-to-be-adobe-flash-player-update-installer/"
|
|
],
|
|
"synonyms": [
|
|
"JCry"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "aaf3fa65-8b27-4e68-91de-2b7738fe4c82",
|
|
"value": "JCry - S0389"
|
|
},
|
|
{
|
|
"description": "[Pallas](https://attack.mitre.org/software/S0399) is mobile surveillanceware that was custom-developed by [Dark Caracal](https://attack.mitre.org/groups/G0070).(Citation: Lookout Dark Caracal Jan 2018)",
|
|
"meta": {
|
|
"external_id": "S0399",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0399",
|
|
"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Pallas"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32063d7f-0a39-440d-a4a3-2694488f96cc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
|
|
"value": "Pallas - S0399"
|
|
},
|
|
{
|
|
"description": "[ShimRat](https://attack.mitre.org/software/S0444) has been used by the suspected China-based adversary [Mofang](https://attack.mitre.org/groups/G0103) in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name \"[ShimRat](https://attack.mitre.org/software/S0444)\" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. (Citation: FOX-IT May 2016 Mofang)",
|
|
"meta": {
|
|
"external_id": "S0444",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0444",
|
|
"https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf"
|
|
],
|
|
"synonyms": [
|
|
"ShimRat"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5763217a-05b6-4edd-9bca-057e47b5e403",
|
|
"value": "ShimRat - S0444"
|
|
},
|
|
{
|
|
"description": "[HenBox](https://attack.mitre.org/software/S0544) is Android malware that attempts to only execute on Xiaomi devices running the MIUI operating system. [HenBox](https://attack.mitre.org/software/S0544) has primarily been used to target Uyghurs, a minority Turkic ethnic group.(Citation: Palo Alto HenBox)",
|
|
"meta": {
|
|
"external_id": "S0544",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0544",
|
|
"https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"
|
|
],
|
|
"synonyms": [
|
|
"HenBox"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "52eff1c7-dd30-4121-b762-24ae6fa61bbb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "aef537ba-10c2-40ed-a57a-80b8508aada4",
|
|
"value": "HenBox - S0544"
|
|
},
|
|
{
|
|
"description": "[Cadelspy](https://attack.mitre.org/software/S0454) is a backdoor that has been used by [APT39](https://attack.mitre.org/groups/G0087).(Citation: Symantec Chafer Dec 2015)",
|
|
"meta": {
|
|
"external_id": "S0454",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0454",
|
|
"https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"
|
|
],
|
|
"synonyms": [
|
|
"Cadelspy"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a705b085-1eae-455e-8f4d-842483d814eb",
|
|
"value": "Cadelspy - S0454"
|
|
},
|
|
{
|
|
"description": "[ObliqueRAT](https://attack.mitre.org/software/S0644) is a remote access trojan, similar to [Crimson](https://attack.mitre.org/software/S0115), that has been in use by [Transparent Tribe](https://attack.mitre.org/groups/G0134) since at least 2020.(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021)",
|
|
"meta": {
|
|
"external_id": "S0644",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0644",
|
|
"https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html",
|
|
"https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html"
|
|
],
|
|
"synonyms": [
|
|
"ObliqueRAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5864e59f-eb4c-43ad-83b2-b5e4fae056c9",
|
|
"value": "ObliqueRAT - S0644"
|
|
},
|
|
{
|
|
"description": "[SYSCON](https://attack.mitre.org/software/S0464) is a backdoor that has been in use since at least 2017 and has been associated with campaigns involving North Korean themes. [SYSCON](https://attack.mitre.org/software/S0464) has been delivered by the [CARROTBALL](https://attack.mitre.org/software/S0465) and [CARROTBAT](https://attack.mitre.org/software/S0462) droppers.(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020)",
|
|
"meta": {
|
|
"external_id": "S0464",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0464",
|
|
"https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/",
|
|
"https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/"
|
|
],
|
|
"synonyms": [
|
|
"SYSCON"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "edf5aee2-9b1c-4252-8e64-25b12f14c8b3",
|
|
"value": "SYSCON - S0464"
|
|
},
|
|
{
|
|
"description": "[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)",
|
|
"meta": {
|
|
"external_id": "S0446",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0446",
|
|
"https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/",
|
|
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
|
|
"https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html",
|
|
"https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html"
|
|
],
|
|
"synonyms": [
|
|
"Ryuk"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a020a61c-423f-4195-8c46-ba1d21abba37",
|
|
"value": "Ryuk - S0446"
|
|
},
|
|
{
|
|
"description": "[Lokibot](https://attack.mitre.org/software/S0447) is a widely distributed information stealer that was first reported in 2015. It is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. [Lokibot](https://attack.mitre.org/software/S0447) can also create a backdoor into infected systems to allow an attacker to install additional payloads.(Citation: Infoblox Lokibot January 2019)(Citation: Morphisec Lokibot April 2020)(Citation: CISA Lokibot September 2020)",
|
|
"meta": {
|
|
"external_id": "S0447",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0447",
|
|
"https://blog.morphisec.com/lokibot-with-autoit-obfuscator-frenchy-shellcode",
|
|
"https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html",
|
|
"https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--22",
|
|
"https://us-cert.cisa.gov/ncas/alerts/aa20-266a"
|
|
],
|
|
"synonyms": [
|
|
"Lokibot"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "cb741463-f0fe-42e0-8d45-bc7e8335f5ae",
|
|
"value": "Lokibot - S0447"
|
|
},
|
|
{
|
|
"description": "[Carberp](https://attack.mitre.org/software/S0484) is a credential and information stealing malware that has been active since at least 2009. [Carberp](https://attack.mitre.org/software/S0484)'s source code was leaked online in 2013, and subsequently used as the foundation for the [Carbanak](https://attack.mitre.org/software/S0030) backdoor.(Citation: Trend Micro Carberp February 2014)(Citation: KasperskyCarbanak)(Citation: RSA Carbanak November 2017)",
|
|
"meta": {
|
|
"external_id": "S0484",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0484",
|
|
"https://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/",
|
|
"https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf",
|
|
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/carberp"
|
|
],
|
|
"synonyms": [
|
|
"Carberp"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01327cde-66c4-4123-bf34-5f258d59457b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "bbcd7a02-ef24-4171-ac94-a93540173b94",
|
|
"value": "Carberp - S0484"
|
|
},
|
|
{
|
|
"description": "[Maze](https://attack.mitre.org/software/S0449) ransomware, previously known as \"ChaCha\", was discovered in May 2019. In addition to encrypting files on victim machines for impact, [Maze](https://attack.mitre.org/software/S0449) operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.(Citation: FireEye Maze May 2020)(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020)",
|
|
"meta": {
|
|
"external_id": "S0449",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0449",
|
|
"https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/",
|
|
"https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
|
|
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/"
|
|
],
|
|
"synonyms": [
|
|
"Maze"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "d9f7383c-95ec-4080-bbce-121c9384457b",
|
|
"value": "Maze - S0449"
|
|
},
|
|
{
|
|
"description": "[Zen](https://attack.mitre.org/software/S0494) is Android malware that was first seen in 2013.(Citation: Google Security Zen)",
|
|
"meta": {
|
|
"external_id": "S0494",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0494",
|
|
"https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html"
|
|
],
|
|
"synonyms": [
|
|
"Zen"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6e17ca2-08b5-4379-9786-89bd05241831",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "22faaa56-a8ac-4292-9be6-b571b255ee40",
|
|
"value": "Zen - S0494"
|
|
},
|
|
{
|
|
"description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.(Citation: WhiteOps TERRACOTTA)",
|
|
"meta": {
|
|
"external_id": "S0545",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0545",
|
|
"https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"
|
|
],
|
|
"synonyms": [
|
|
"TERRACOTTA"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "00290ac5-551e-44aa-bbd8-c4b913488a6d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "52eff1c7-dd30-4121-b762-24ae6fa61bbb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "939808a7-121d-467a-b028-4441ee8b7cee",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a8e971b8-8dc7-4514-8249-ae95427ec467",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e296b110-46d3-4f7a-894c-cc71ea50168c",
|
|
"value": "TERRACOTTA - S0545"
|
|
},
|
|
{
|
|
"description": "[Egregor](https://attack.mitre.org/software/S0554) is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between [Egregor](https://attack.mitre.org/software/S0554) and Sekhmet ransomware, as well as [Maze](https://attack.mitre.org/software/S0449) ransomware.(Citation: NHS Digital Egregor Nov 2020)(Citation: Cyble Egregor Oct 2020)(Citation: Security Boulevard Egregor Oct 2020)",
|
|
"meta": {
|
|
"external_id": "S0554",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0554",
|
|
"https://cybleinc.com/2020/10/31/egregor-ransomware-a-deep-dive-into-its-activities-and-techniques/",
|
|
"https://digital.nhs.uk/cyber-alerts/2020/cc-3681#summary",
|
|
"https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/"
|
|
],
|
|
"synonyms": [
|
|
"Egregor"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "cc4c1287-9c86-4447-810c-744f3880ec37",
|
|
"value": "Egregor - S0554"
|
|
},
|
|
{
|
|
"description": "[Metamorfo](https://attack.mitre.org/software/S0455) is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting banks and cryptocurrency services in Brazil and Mexico.(Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019) ",
|
|
"meta": {
|
|
"external_id": "S0455",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0455",
|
|
"https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767",
|
|
"https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/"
|
|
],
|
|
"synonyms": [
|
|
"Metamorfo",
|
|
"Casbaneiro"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9c99724c-a483-4d60-ad9d-7f004e42e8e8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "81c57a96-fc8c-4f91-af8e-63e24c2927c2",
|
|
"value": "Metamorfo - S0455"
|
|
},
|
|
{
|
|
"description": "[BlackMould](https://attack.mitre.org/software/S0564) is a web shell based on [China Chopper](https://attack.mitre.org/software/S0020) for servers running Microsoft IIS. First reported in December 2019, it has been used in malicious campaigns by [GALLIUM](https://attack.mitre.org/groups/G0093) against telecommunication providers.(Citation: Microsoft GALLIUM December 2019)",
|
|
"meta": {
|
|
"external_id": "S0564",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0564",
|
|
"https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/"
|
|
],
|
|
"synonyms": [
|
|
"BlackMould"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "63c4511b-2d6e-4bb2-b582-e2e99a8a467d",
|
|
"value": "BlackMould - S0564"
|
|
},
|
|
{
|
|
"description": "[ProLock](https://attack.mitre.org/software/S0654) is a ransomware strain that has been used in Big Game Hunting (BGH) operations since at least 2020, often obtaining initial access with [QakBot](https://attack.mitre.org/software/S0650). [ProLock](https://attack.mitre.org/software/S0654) is the successor to PwndLocker ransomware which was found to contain a bug allowing decryption without ransom payment in 2019.(Citation: Group IB Ransomware September 2020)",
|
|
"meta": {
|
|
"external_id": "S0654",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0654",
|
|
"https://groupib.pathfactory.com/ransomware-reports/prolock_wp"
|
|
],
|
|
"synonyms": [
|
|
"ProLock"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "471d0e9f-2c8a-4e4b-8f3b-f85d2407806e",
|
|
"value": "ProLock - S0654"
|
|
},
|
|
{
|
|
"description": "[SharpStage](https://attack.mitre.org/software/S0546) is a .NET malware with backdoor capabilities.(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)",
|
|
"meta": {
|
|
"external_id": "S0546",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0546",
|
|
"https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/",
|
|
"https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf"
|
|
],
|
|
"synonyms": [
|
|
"SharpStage"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "0ba9281c-93fa-4b29-8e9e-7ef918c7b13a",
|
|
"value": "SharpStage - S0546"
|
|
},
|
|
{
|
|
"description": "[BendyBear](https://attack.mitre.org/software/S0574) is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server. First discovered in August 2020, [BendyBear](https://attack.mitre.org/software/S0574) shares a variety of features with [Waterbear](https://attack.mitre.org/software/S0579), malware previously attributed to the Chinese cyber espionage group [BlackTech](https://attack.mitre.org/groups/G0098).(Citation: Unit42 BendyBear Feb 2021)",
|
|
"meta": {
|
|
"external_id": "S0574",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0574",
|
|
"https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/"
|
|
],
|
|
"synonyms": [
|
|
"BendyBear"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "805480f1-6caa-4a67-8ca9-b2b39650d986",
|
|
"value": "BendyBear - S0574"
|
|
},
|
|
{
|
|
"description": "[BackConfig](https://attack.mitre.org/software/S0475) is a custom Trojan with a flexible plugin architecture that has been used by [Patchwork](https://attack.mitre.org/groups/G0040).(Citation: Unit 42 BackConfig May 2020)",
|
|
"meta": {
|
|
"external_id": "S0475",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0475",
|
|
"https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/"
|
|
],
|
|
"synonyms": [
|
|
"BackConfig"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c13d9621-aca7-436b-ab3d-3a95badb3d00",
|
|
"value": "BackConfig - S0475"
|
|
},
|
|
{
|
|
"description": "[DropBook](https://attack.mitre.org/software/S0547) is a Python-based backdoor compiled with PyInstaller.(Citation: Cybereason Molerats Dec 2020)",
|
|
"meta": {
|
|
"external_id": "S0547",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0547",
|
|
"https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/",
|
|
"https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf"
|
|
],
|
|
"synonyms": [
|
|
"DropBook"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "3ae6097d-d700-46c6-8b21-42fc0bcb48fa",
|
|
"value": "DropBook - S0547"
|
|
},
|
|
{
|
|
"description": "[Netwalker](https://attack.mitre.org/software/S0457) is fileless ransomware written in PowerShell and executed directly in memory.(Citation: TrendMicro Netwalker May 2020)",
|
|
"meta": {
|
|
"external_id": "S0457",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0457",
|
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/"
|
|
],
|
|
"synonyms": [
|
|
"Netwalker"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "754effde-613c-4244-a83e-fb659b2a4d06",
|
|
"value": "Netwalker - S0457"
|
|
},
|
|
{
|
|
"description": "[AppleJeus](https://attack.mitre.org/software/S0584) is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. [AppleJeus](https://attack.mitre.org/software/S0584) has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032), targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. [AppleJeus](https://attack.mitre.org/software/S0584) has been used to distribute the [FALLCHILL](https://attack.mitre.org/software/S0181) RAT.(Citation: CISA AppleJeus Feb 2021)",
|
|
"meta": {
|
|
"external_id": "S0584",
|
|
"mitre_platforms": [
|
|
"Windows",
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0584",
|
|
"https://us-cert.cisa.gov/ncas/alerts/aa21-048a"
|
|
],
|
|
"synonyms": [
|
|
"AppleJeus"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "810aa4ad-61c9-49cb-993f-daa06199421d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "da051493-ae9c-4b1b-9760-c009c46c9b56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e2d34c63-6f5a-41f5-86a2-e2380f27f858",
|
|
"value": "AppleJeus - S0584"
|
|
},
|
|
{
|
|
"description": "[Mandrake](https://attack.mitre.org/software/S0485) is a sophisticated Android espionage platform that has been active in the wild since at least 2016. [Mandrake](https://attack.mitre.org/software/S0485) is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.\n\n[Mandrake](https://attack.mitre.org/software/S0485) has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.(Citation: Bitdefender Mandrake)",
|
|
"meta": {
|
|
"external_id": "S0485",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0485",
|
|
"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Mandrake",
|
|
"oxide",
|
|
"briar",
|
|
"ricinus",
|
|
"darkmatter"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2aa78dfd-cb6f-4c70-9408-137cfd96be49",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "939808a7-121d-467a-b028-4441ee8b7cee",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "948a447c-d783-4ba0-8516-a64140fcacd5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1f1337e-aea7-454c-86bd-482a98ffaf62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fd211238-f767-4599-8c0d-9dca36624626",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "52c994fa-b6c8-45a8-9586-a4275cf19307",
|
|
"value": "Mandrake - S0485"
|
|
},
|
|
{
|
|
"description": "[Ramsay](https://attack.mitre.org/software/S0458) is an information stealing malware framework designed to collect and exfiltrate sensitive documents, including from air-gapped systems. Researchers have identified overlaps between [Ramsay](https://attack.mitre.org/software/S0458) and the [Darkhotel](https://attack.mitre.org/groups/G0012)-associated Retro malware.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)",
|
|
"meta": {
|
|
"external_id": "S0458",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0458",
|
|
"https://www.programmersought.com/article/62493896999/",
|
|
"https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/"
|
|
],
|
|
"synonyms": [
|
|
"Ramsay"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "ba09b86c-1c40-4ff1-bda0-0d8c4ca35997",
|
|
"value": "Ramsay - S0458"
|
|
},
|
|
{
|
|
"description": "[RDAT](https://attack.mitre.org/software/S0495) is a backdoor used by the suspected Iranian threat group [OilRig](https://attack.mitre.org/groups/G0049). [RDAT](https://attack.mitre.org/software/S0495) was originally identified in 2017 and targeted companies in the telecommunications sector.(Citation: Unit42 RDAT July 2020)",
|
|
"meta": {
|
|
"external_id": "S0495",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0495",
|
|
"https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/"
|
|
],
|
|
"synonyms": [
|
|
"RDAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4b346d12-7f91-48d2-8f06-b26ffa0d825b",
|
|
"value": "RDAT - S0495"
|
|
},
|
|
{
|
|
"description": "[SilkBean](https://attack.mitre.org/software/S0549) is a piece of Android surveillanceware containing comprehensive remote access tool (RAT) functionality that has been used in targeting of the Uyghur ethnic group.(Citation: Lookout Uyghur Campaign)",
|
|
"meta": {
|
|
"external_id": "S0549",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0549",
|
|
"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
|
|
],
|
|
"synonyms": [
|
|
"SilkBean"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "ddbe5657-e21e-4a89-8221-2f1362d397ec",
|
|
"value": "SilkBean - S0549"
|
|
},
|
|
{
|
|
"description": "[MechaFlounder](https://attack.mitre.org/software/S0459) is a python-based remote access tool (RAT) that has been used by [APT39](https://attack.mitre.org/groups/G0087). The payload uses a combination of actor developed code and code snippets freely available online in development communities.(Citation: Unit 42 MechaFlounder March 2019)",
|
|
"meta": {
|
|
"external_id": "S0459",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0459",
|
|
"https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/"
|
|
],
|
|
"synonyms": [
|
|
"MechaFlounder"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2",
|
|
"value": "MechaFlounder - S0459"
|
|
},
|
|
{
|
|
"description": "[SpicyOmelette](https://attack.mitre.org/software/S0646) is a JavaScript based remote access tool that has been used by [Cobalt Group](https://attack.mitre.org/groups/G0080) since at least 2018.(Citation: Secureworks GOLD KINGSWOOD September 2018)",
|
|
"meta": {
|
|
"external_id": "S0646",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0646",
|
|
"https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish"
|
|
],
|
|
"synonyms": [
|
|
"SpicyOmelette"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "599cd7b5-37b5-4cdd-8174-2811531ce9d0",
|
|
"value": "SpicyOmelette - S0646"
|
|
},
|
|
{
|
|
"description": "[Pandora](https://attack.mitre.org/software/S0664) is a multistage kernel rootkit with backdoor functionality that has been in use by [Threat Group-3390](https://attack.mitre.org/groups/G0027) since at least 2020.(Citation: Trend Micro Iron Tiger April 2021)",
|
|
"meta": {
|
|
"external_id": "S0664",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0664",
|
|
"https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html"
|
|
],
|
|
"synonyms": [
|
|
"Pandora"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "565275d5-fcc3-4b66-b4e7-928e4cac6b8c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a545456a-f9a7-47ad-9ea6-8b017def38d1",
|
|
"value": "Pandora - S0664"
|
|
},
|
|
{
|
|
"description": "[WindTail](https://attack.mitre.org/software/S0466) is a macOS surveillance implant used by [Windshift](https://attack.mitre.org/groups/G0112). [WindTail](https://attack.mitre.org/software/S0466) shares code similarities with Hack Back aka KitM OSX.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)",
|
|
"meta": {
|
|
"external_id": "S0466",
|
|
"mitre_platforms": [
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0466",
|
|
"https://objective-see.com/blog/blog_0x3B.html",
|
|
"https://objective-see.com/blog/blog_0x3D.html",
|
|
"https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf"
|
|
],
|
|
"synonyms": [
|
|
"WindTail"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "0d1f9f5b-11ea-42c3-b5f4-63cce0122541",
|
|
"value": "WindTail - S0466"
|
|
},
|
|
{
|
|
"description": "[CharmPower](https://attack.mitre.org/software/S0674) is a PowerShell-based, modular backdoor that has been used by [Magic Hound](https://attack.mitre.org/groups/G0059) since at least 2022.(Citation: Check Point APT35 CharmPower January 2022)",
|
|
"meta": {
|
|
"external_id": "S0674",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0674",
|
|
"https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/"
|
|
],
|
|
"synonyms": [
|
|
"CharmPower"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "7acb15b6-fe2c-4319-b136-6ab36ff0b2d4",
|
|
"value": "CharmPower - S0674"
|
|
},
|
|
{
|
|
"description": "[TajMahal](https://attack.mitre.org/software/S0467) is a multifunctional spying framework that has been in use since at least 2014. [TajMahal](https://attack.mitre.org/software/S0467) is comprised of two separate packages, named Tokyo and Yokohama, and can deploy up to 80 plugins.(Citation: Kaspersky TajMahal April 2019)",
|
|
"meta": {
|
|
"external_id": "S0467",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0467",
|
|
"https://securelist.com/project-tajmahal/90240/"
|
|
],
|
|
"synonyms": [
|
|
"TajMahal"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b51797f7-57da-4210-b8ac-b8632ee75d70",
|
|
"value": "TajMahal - S0467"
|
|
},
|
|
{
|
|
"description": "[Turian](https://attack.mitre.org/software/S0647) is a backdoor that has been used by [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, [Turian](https://attack.mitre.org/software/S0647) is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.(Citation: ESET BackdoorDiplomacy Jun 2021)",
|
|
"meta": {
|
|
"external_id": "S0647",
|
|
"mitre_platforms": [
|
|
"Windows",
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0647",
|
|
"https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/"
|
|
],
|
|
"synonyms": [
|
|
"Turian"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "350f12cf-fd3b-4dad-b323-14b943090df4",
|
|
"value": "Turian - S0647"
|
|
},
|
|
{
|
|
"description": "[Valak](https://attack.mitre.org/software/S0476) is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)",
|
|
"meta": {
|
|
"external_id": "S0476",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0476",
|
|
"https://unit42.paloaltonetworks.com/valak-evolution/",
|
|
"https://www.cybereason.com/blog/valak-more-than-meets-the-eye"
|
|
],
|
|
"synonyms": [
|
|
"Valak"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "ade37ada-14af-4b44-b36c-210eec255d53",
|
|
"value": "Valak - S0476"
|
|
},
|
|
{
|
|
"description": "[Bonadan](https://attack.mitre.org/software/S0486) is a malicious version of OpenSSH which acts as a custom backdoor. [Bonadan](https://attack.mitre.org/software/S0486) has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.(Citation: ESET ForSSHe December 2018)",
|
|
"meta": {
|
|
"external_id": "S0486",
|
|
"mitre_platforms": [
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0486",
|
|
"https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Bonadan"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4c6d62c2-89f5-4159-8fab-0190b1f9d328",
|
|
"value": "Bonadan - S0486"
|
|
},
|
|
{
|
|
"description": "[Skidmap](https://attack.mitre.org/software/S0468) is a kernel-mode rootkit used for cryptocurrency mining.(Citation: Trend Micro Skidmap)",
|
|
"meta": {
|
|
"external_id": "S0468",
|
|
"mitre_platforms": [
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0468",
|
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/"
|
|
],
|
|
"synonyms": [
|
|
"Skidmap"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "06c00069-771a-4d57-8ef5-d3718c1a8771",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6b57dc31-b814-4a03-8706-28bc20d739c4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4b68b5ea-2e1b-4225-845b-8632f702b9a0",
|
|
"value": "Skidmap - S0468"
|
|
},
|
|
{
|
|
"description": "[ABK](https://attack.mitre.org/software/S0469) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)",
|
|
"meta": {
|
|
"external_id": "S0469",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0469",
|
|
"https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf"
|
|
],
|
|
"synonyms": [
|
|
"ABK"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a0ebedca-d558-4e48-8ff7-4bf76208d90c",
|
|
"value": "ABK - S0469"
|
|
},
|
|
{
|
|
"description": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) is a Powershell-based .NET backdoor that was first reported in May 2021; it has been used by at least one ransomware-as-a-service affiliate.(Citation: FireEye Shining A Light on DARKSIDE May 2021)(Citation: FireEye SMOKEDHAM June 2021)",
|
|
"meta": {
|
|
"external_id": "S0649",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0649",
|
|
"https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html",
|
|
"https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html"
|
|
],
|
|
"synonyms": [
|
|
"SMOKEDHAM"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "635cbe30-392d-4e27-978e-66774357c762",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "7e0f8b0f-716e-494d-827e-310bd6ed709e",
|
|
"value": "SMOKEDHAM - S0649"
|
|
},
|
|
{
|
|
"description": "[DRATzarus](https://attack.mitre.org/software/S0694) is a remote access tool (RAT) that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) to target the defense and aerospace organizations globally since at least summer 2020. [DRATzarus](https://attack.mitre.org/software/S0694) shares similarities with [Bankshot](https://attack.mitre.org/software/S0239), which was used by [Lazarus Group](https://attack.mitre.org/groups/G0032) in 2017 to target the Turkish financial sector.(Citation: ClearSky Lazarus Aug 2020)",
|
|
"meta": {
|
|
"external_id": "S0694",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0694",
|
|
"https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf"
|
|
],
|
|
"synonyms": [
|
|
"DRATzarus"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "56aa3c82-ed40-4b5a-84bf-7231356d9e96",
|
|
"value": "DRATzarus - S0694"
|
|
},
|
|
{
|
|
"description": "[REvil](https://attack.mitre.org/software/S0496) is a ransomware family that has been linked to the [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) group and operated as ransomware-as-a-service (RaaS) since at least April 2019. [REvil](https://attack.mitre.org/software/S0496), which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)",
|
|
"meta": {
|
|
"external_id": "S0496",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0496",
|
|
"https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html",
|
|
"https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/",
|
|
"https://securelist.com/sodin-ransomware/91473/",
|
|
"https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html",
|
|
"https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data",
|
|
"https://www.group-ib.com/whitepapers/ransomware-uncovered.html",
|
|
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/",
|
|
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/",
|
|
"https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware",
|
|
"https://www.secureworks.com/blog/revil-the-gandcrab-connection",
|
|
"https://www.secureworks.com/research/revil-sodinokibi-ransomware",
|
|
"https://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis"
|
|
],
|
|
"synonyms": [
|
|
"REvil",
|
|
"Sodin",
|
|
"Sodinokibi"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "28170e17-8384-415c-8486-2e6b294cb803",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5",
|
|
"value": "REvil - S0496"
|
|
},
|
|
{
|
|
"description": "[Goopy](https://attack.mitre.org/software/S0477) is a Windows backdoor and Trojan used by [APT32](https://attack.mitre.org/groups/G0050) and shares several similarities to another backdoor used by the group ([Denis](https://attack.mitre.org/software/S0354)). [Goopy](https://attack.mitre.org/software/S0477) is named for its impersonation of the legitimate Google Updater executable.(Citation: Cybereason Cobalt Kitty 2017)",
|
|
"meta": {
|
|
"external_id": "S0477",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0477",
|
|
"https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Goopy"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "438c967d-3996-4870-bfc2-3954752a1927",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "eac3d77f-2b7b-4599-ba74-948dc16633ad",
|
|
"value": "Goopy - S0477"
|
|
},
|
|
{
|
|
"description": "[EventBot](https://attack.mitre.org/software/S0478) is an Android banking trojan and information stealer that abuses Android\u2019s accessibility service to steal data from various applications.(Citation: Cybereason EventBot) [EventBot](https://attack.mitre.org/software/S0478) was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.(Citation: Cybereason EventBot)",
|
|
"meta": {
|
|
"external_id": "S0478",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0478",
|
|
"https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"
|
|
],
|
|
"synonyms": [
|
|
"EventBot"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4c58b7c6-a839-4789-bda9-9de33e4d4512",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bb4387ab-7a51-468b-bf5f-a9a8612f0303",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "aecc0097-c9f8-4786-9b39-e891ff173f54",
|
|
"value": "EventBot - S0478"
|
|
},
|
|
{
|
|
"description": "[Kessel](https://attack.mitre.org/software/S0487) is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. [Kessel](https://attack.mitre.org/software/S0487) has been active since its C2 domain began resolving in August 2018.(Citation: ESET ForSSHe December 2018)",
|
|
"meta": {
|
|
"external_id": "S0487",
|
|
"mitre_platforms": [
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0487",
|
|
"https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Kessel"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "c984b414-b766-44c5-814a-2fe96c913c12",
|
|
"value": "Kessel - S0487"
|
|
},
|
|
{
|
|
"description": "[Dacls](https://attack.mitre.org/software/S0497) is a multi-platform remote access tool used by [Lazarus Group](https://attack.mitre.org/groups/G0032) since at least December 2019.(Citation: TrendMicro macOS Dacls May 2020)(Citation: SentinelOne Lazarus macOS July 2020)",
|
|
"meta": {
|
|
"external_id": "S0497",
|
|
"mitre_platforms": [
|
|
"macOS",
|
|
"Linux",
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0497",
|
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/",
|
|
"https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/"
|
|
],
|
|
"synonyms": [
|
|
"Dacls"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "3aa169f8-bbf6-44bb-b57d-7f6ada5c2128",
|
|
"value": "Dacls - S0497"
|
|
},
|
|
{
|
|
"description": "[WolfRAT](https://attack.mitre.org/software/S0489) is malware based on a leaked version of [Dendroid](https://attack.mitre.org/software/S0301) that has primarily targeted Thai users. [WolfRAT](https://attack.mitre.org/software/S0489) has most likely been operated by the now defunct organization Wolf Research.(Citation: Talos-WolfRAT) ",
|
|
"meta": {
|
|
"external_id": "S0489",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0489",
|
|
"https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"
|
|
],
|
|
"synonyms": [
|
|
"WolfRAT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1d1b1558-c833-482e-aabb-d07ef6eae63d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ab7400b7-3476-4776-9545-ef3fa373de63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "dfdac962-9461-47f0-a212-36dfce2a97e6",
|
|
"value": "WolfRAT - S0489"
|
|
},
|
|
{
|
|
"description": "[Cryptoistic](https://attack.mitre.org/software/S0498) is a backdoor, written in Swift, that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032).(Citation: SentinelOne Lazarus macOS July 2020)",
|
|
"meta": {
|
|
"external_id": "S0498",
|
|
"mitre_platforms": [
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0498",
|
|
"https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/"
|
|
],
|
|
"synonyms": [
|
|
"Cryptoistic"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a04d9a4c-bb52-40bf-98ec-e350c2d6a862",
|
|
"value": "Cryptoistic - S0498"
|
|
},
|
|
{
|
|
"description": "[Hancitor](https://attack.mitre.org/software/S0499) is a downloader that has been used by [Pony](https://attack.mitre.org/software/S0453) and other information stealing malware.(Citation: Threatpost Hancitor)(Citation: FireEye Hancitor)",
|
|
"meta": {
|
|
"external_id": "S0499",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0499",
|
|
"https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/",
|
|
"https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html"
|
|
],
|
|
"synonyms": [
|
|
"Hancitor",
|
|
"Chanitor"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "808e6329-ca91-4b87-ac2d-8eadc5f8f327",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "ef2247bf-8062-404b-894f-d65d00564817",
|
|
"value": "Hancitor - S0499"
|
|
},
|
|
{
|
|
"description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) is a modular backdoor that has been deployed by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: CYBERWARCON CHEMISTGAMES)",
|
|
"meta": {
|
|
"external_id": "S0555",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0555",
|
|
"https://www.youtube.com/watch?v=xoNSbm1aX_w"
|
|
],
|
|
"synonyms": [
|
|
"CHEMISTGAMES"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "16d73b64-5681-4ea0-9af4-4ad86f7c96e8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "52eff1c7-dd30-4121-b762-24ae6fa61bbb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9558a84e-2d5e-4872-918e-d847494a8ffc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a0d774e4-bafc-4292-8651-3ec899391341",
|
|
"value": "CHEMISTGAMES - S0555"
|
|
},
|
|
{
|
|
"description": "[BusyGasper](https://attack.mitre.org/software/S0655) is Android spyware that has been in use since May 2016. There have been less than 10 victims, all who appear to be located in Russia, that were all infected via physical access to the device.(Citation: SecureList BusyGasper)",
|
|
"meta": {
|
|
"external_id": "S0655",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0655",
|
|
"https://securelist.com/busygasper-the-unfriendly-spy/87627/"
|
|
],
|
|
"synonyms": [
|
|
"BusyGasper"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "24a77e53-0751-46fc-b207-99378fb35c08",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "37047267-3e56-453c-833e-d92b68118120",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "693cdbff-ea73-49c6-ac3f-91e7285c31d1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "939808a7-121d-467a-b028-4441ee8b7cee",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b327a9c0-e709-495c-aa6e-00b042136e2b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec4c4baa-026f-43e8-8f56-58c36f3162dd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4",
|
|
"value": "BusyGasper - S0655"
|
|
},
|
|
{
|
|
"description": "[Raindrop](https://attack.mitre.org/software/S0565) is a loader used by [APT29](https://attack.mitre.org/groups/G0016) that was discovered on some victim machines during investigations related to the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024). It was discovered in January 2021 and was likely used since at least May 2020.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)",
|
|
"meta": {
|
|
"external_id": "S0565",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0565",
|
|
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware",
|
|
"https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/"
|
|
],
|
|
"synonyms": [
|
|
"Raindrop"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4efc3e00-72f2-466a-ab7c-8a7dc6603b19",
|
|
"value": "Raindrop - S0565"
|
|
},
|
|
{
|
|
"description": "[Conti](https://attack.mitre.org/software/S0575) is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. [Conti](https://attack.mitre.org/software/S0575) has been deployed via [TrickBot](https://attack.mitre.org/software/S0266) and used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using [Conti](https://attack.mitre.org/software/S0575) steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.(Citation: Cybereason Conti Jan 2021)(Citation: CarbonBlack Conti July 2020)(Citation: Cybleinc Conti January 2020)",
|
|
"meta": {
|
|
"external_id": "S0575",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0575",
|
|
"https://cybleinc.com/2021/01/21/conti-ransomware-resurfaces-targeting-government-large-organizations/",
|
|
"https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/",
|
|
"https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware"
|
|
],
|
|
"synonyms": [
|
|
"Conti"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4dea7d8e-af94-4bfb-afe4-7ff54f59308b",
|
|
"value": "Conti - S0575"
|
|
},
|
|
{
|
|
"description": "[Kerrdown](https://attack.mitre.org/software/S0585) is a custom downloader that has been used by [APT32](https://attack.mitre.org/groups/G0050) since at least 2018 to install spyware from a server on the victim's network.(Citation: Amnesty Intl. Ocean Lotus February 2021)(Citation: Unit 42 KerrDown February 2019)",
|
|
"meta": {
|
|
"external_id": "S0585",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0585",
|
|
"https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/",
|
|
"https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Kerrdown"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8c1d01ff-fdc0-4586-99bd-c248e0761af5",
|
|
"value": "Kerrdown - S0585"
|
|
},
|
|
{
|
|
"description": "[SUNBURST](https://attack.mitre.org/software/S0559) is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by [APT29](https://attack.mitre.org/groups/G0016) since at least February 2020.(Citation: SolarWinds Sunburst Sunspot Update January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)",
|
|
"meta": {
|
|
"external_id": "S0559",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0559",
|
|
"https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/",
|
|
"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
|
|
"https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/"
|
|
],
|
|
"synonyms": [
|
|
"SUNBURST",
|
|
"Solorigate"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a8839c95-029f-44cf-8f3d-a3cf2039e927",
|
|
"value": "SUNBURST - S0559"
|
|
},
|
|
{
|
|
"description": "[ThiefQuest](https://attack.mitre.org/software/S0595) is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. [ThiefQuest](https://attack.mitre.org/software/S0595) was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links.(Citation: Reed thiefquest fake ransom) Even though [ThiefQuest](https://attack.mitre.org/software/S0595) presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.(Citation: wardle evilquest partii)(Citation: reed thiefquest ransomware analysis)",
|
|
"meta": {
|
|
"external_id": "S0595",
|
|
"mitre_platforms": [
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0595",
|
|
"https://blog.malwarebytes.com/detections/osx-thiefquest/",
|
|
"https://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/",
|
|
"https://objective-see.com/blog/blog_0x60.html",
|
|
"https://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/"
|
|
],
|
|
"synonyms": [
|
|
"ThiefQuest",
|
|
"MacRansom.K",
|
|
"EvilQuest"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "727afb95-3d0f-4451-b297-362a43909923",
|
|
"value": "ThiefQuest - S0595"
|
|
},
|
|
{
|
|
"description": "[ThreatNeedle](https://attack.mitre.org/software/S0665) is a backdoor that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) since at least 2019 to target cryptocurrency, defense, and mobile gaming organizations. It is considered to be an advanced cluster of [Lazarus Group](https://attack.mitre.org/groups/G0032)'s Manuscrypt (a.k.a. NukeSped) malware family.(Citation: Kaspersky ThreatNeedle Feb 2021)",
|
|
"meta": {
|
|
"external_id": "S0665",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0665",
|
|
"https://securelist.com/lazarus-threatneedle/100803/"
|
|
],
|
|
"synonyms": [
|
|
"ThreatNeedle"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "16040b1c-ed28-4850-9d8f-bb8b81c42092",
|
|
"value": "ThreatNeedle - S0665"
|
|
},
|
|
{
|
|
"description": "[BLUELIGHT](https://attack.mitre.org/software/S0657) is a remote access Trojan used by [APT37](https://attack.mitre.org/groups/G0067) that was first observed in early 2021.(Citation: Volexity InkySquid BLUELIGHT August 2021)",
|
|
"meta": {
|
|
"external_id": "S0657",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0657",
|
|
"https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/"
|
|
],
|
|
"synonyms": [
|
|
"BLUELIGHT"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "8bd47506-29ae-44ea-a5c1-c57e8a1ab6b0",
|
|
"value": "BLUELIGHT - S0657"
|
|
},
|
|
{
|
|
"description": "[MegaCortex](https://attack.mitre.org/software/S0576) is ransomware that first appeared in May 2019. (Citation: IBM MegaCortex) [MegaCortex](https://attack.mitre.org/software/S0576) has mainly targeted industrial organizations. (Citation: FireEye Ransomware Disrupt Industrial Production)(Citation: FireEye Financial Actors Moving into OT)",
|
|
"meta": {
|
|
"external_id": "S0576",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0576",
|
|
"https://securityintelligence.com/posts/from-mega-to-giga-cross-version-comparison-of-top-megacortex-modifications/",
|
|
"https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html",
|
|
"https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html"
|
|
],
|
|
"synonyms": [
|
|
"MegaCortex"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e7cbc1de-1f79-48ee-abfd-da1241c65a15",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "909617c3-6d87-4330-8f32-bd3af38c3b92",
|
|
"value": "MegaCortex - S0576"
|
|
},
|
|
{
|
|
"description": "[Dtrack](https://attack.mitre.org/software/S0567) is spyware that was discovered in 2019 and has been used against Indian financial institutions, research facilities, and the Kudankulam Nuclear Power Plant. [Dtrack](https://attack.mitre.org/software/S0567) shares similarities with the DarkSeoul campaign, which was attributed to [Lazarus Group](https://attack.mitre.org/groups/G0032). (Citation: Kaspersky Dtrack)(Citation: Securelist Dtrack)(Citation: Dragos WASSONITE)(Citation: CyberBit Dtrack)(Citation: ZDNet Dtrack)",
|
|
"meta": {
|
|
"external_id": "S0567",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0567",
|
|
"https://securelist.com/my-name-is-dtrack/93338/",
|
|
"https://usa.kaspersky.com/about/press-releases/2019_dtrack-previously-unknown-spy-tool-hits-financial-institutions-and-research-centers",
|
|
"https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/",
|
|
"https://www.dragos.com/threat/wassonite/",
|
|
"https://www.zdnet.com/article/confirmed-north-korean-malware-found-on-indian-nuclear-plants-network/"
|
|
],
|
|
"synonyms": [
|
|
"Dtrack"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f8774023-8021-4ece-9aca-383ac89d2759",
|
|
"value": "Dtrack - S0567"
|
|
},
|
|
{
|
|
"description": "[TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) is a fully-featured beaconing implant integrated with command modules used by [Lazarus Group](https://attack.mitre.org/groups/G0032). It was first reported in May 2020.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)",
|
|
"meta": {
|
|
"external_id": "S0586",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0586",
|
|
"https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133b"
|
|
],
|
|
"synonyms": [
|
|
"TAINTEDSCRIBE"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "7f4bbe05-1674-4087-8a16-8f1ad61b6152",
|
|
"value": "TAINTEDSCRIBE - S0586"
|
|
},
|
|
{
|
|
"description": "[XCSSET](https://attack.mitre.org/software/S0658) is a macOS modular backdoor that targets Xcode application developers. [XCSSET](https://attack.mitre.org/software/S0658) was first observed in August 2020 and has been used to install a backdoor component, modify browser applications, conduct collection, and provide ransomware-like encryption capabilities.(Citation: trendmicro xcsset xcode project 2020)",
|
|
"meta": {
|
|
"external_id": "S0658",
|
|
"mitre_platforms": [
|
|
"macOS"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0658",
|
|
"https://blog.malwarebytes.com/detections/osx-dubrobber/",
|
|
"https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf"
|
|
],
|
|
"synonyms": [
|
|
"XCSSET",
|
|
"OSX.DubRobber"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "191cc6af-1bb2-4344-ab5f-28e496638720",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "573ad264-1371-4ae0-8482-d2673b719dba",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6b57dc31-b814-4a03-8706-28bc20d739c4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7d20fff9-8751-404e-badd-ccd71bda0236",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "810aa4ad-61c9-49cb-993f-daa06199421d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "e14085cb-0e8d-4be6-92ba-e3b93ee5978f",
|
|
"value": "XCSSET - S0658"
|
|
},
|
|
{
|
|
"description": "[EVILNUM](https://attack.mitre.org/software/S0568) is fully capable backdoor that was first identified in 2018. [EVILNUM](https://attack.mitre.org/software/S0568) is used by the APT group [Evilnum](https://attack.mitre.org/groups/G0120) which has the same name.(Citation: ESET EvilNum July 2020)(Citation: Prevailion EvilNum May 2020)",
|
|
"meta": {
|
|
"external_id": "S0568",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0568",
|
|
"https://www.prevailion.com/phantom-in-the-command-shell-2/",
|
|
"https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/"
|
|
],
|
|
"synonyms": [
|
|
"EVILNUM"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9c99724c-a483-4d60-ad9d-7f004e42e8e8",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "7cdfccda-2950-4167-981a-60872ff5d0db",
|
|
"value": "EVILNUM - S0568"
|
|
},
|
|
{
|
|
"description": "[PowerPunch](https://attack.mitre.org/software/S0685) is a lightweight downloader that has been used by [Gamaredon Group](https://attack.mitre.org/groups/G0047) since at least 2021.(Citation: Microsoft Actinium February 2022)",
|
|
"meta": {
|
|
"external_id": "S0685",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0685",
|
|
"https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/"
|
|
],
|
|
"synonyms": [
|
|
"PowerPunch"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f244b8dd-af6c-4391-a497-fc03627ce995",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "d52291b4-bb23-45a8-aef0-3dc7e986ba15",
|
|
"value": "PowerPunch - S0685"
|
|
},
|
|
{
|
|
"description": "[Diavol](https://attack.mitre.org/software/S0659) is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. [Diavol](https://attack.mitre.org/software/S0659) has been deployed by [Bazar](https://attack.mitre.org/software/S0534) and is thought to have potential ties to [Wizard Spider](https://attack.mitre.org/groups/G0102).(Citation: Fortinet Diavol July 2021)(Citation: FBI Flash Diavol January 2022)(Citation: DFIR Diavol Ransomware December 2021)",
|
|
"meta": {
|
|
"external_id": "S0659",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0659",
|
|
"https://thedfirreport.com/2021/12/13/diavol-ransomware/",
|
|
"https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider",
|
|
"https://www.ic3.gov/Media/News/2022/220120.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Diavol"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "4e9bdf9a-4957-47f6-87b3-c76898d3f623",
|
|
"value": "Diavol - S0659"
|
|
},
|
|
{
|
|
"description": "[Explosive](https://attack.mitre.org/software/S0569) is a custom-made remote access tool used by the group [Volatile Cedar](https://attack.mitre.org/groups/G0123). It was first identified in the wild in 2015.(Citation: CheckPoint Volatile Cedar March 2015)(Citation: ClearSky Lebanese Cedar Jan 2021) ",
|
|
"meta": {
|
|
"external_id": "S0569",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0569",
|
|
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf",
|
|
"https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Explosive"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "6a21e3a4-5ffe-4581-af9a-6a54c7536f44",
|
|
"value": "Explosive - S0569"
|
|
},
|
|
{
|
|
"description": "[ShadowPad](https://attack.mitre.org/software/S0596) is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by [APT41](https://attack.mitre.org/groups/G0096), but has since been observed to be used by various Chinese threat activity groups. (Citation: Recorded Future RedEcho Feb 2021)(Citation: Securelist ShadowPad Aug 2017)(Citation: Kaspersky ShadowPad Aug 2017) ",
|
|
"meta": {
|
|
"external_id": "S0596",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0596",
|
|
"https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf",
|
|
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf",
|
|
"https://securelist.com/shadowpad-in-corporate-networks/81432/",
|
|
"https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf"
|
|
],
|
|
"synonyms": [
|
|
"ShadowPad",
|
|
"POISONPLUG.SHADOW"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d467bc38-284b-4a00-96ac-125f447799fc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "ec9e00dd-0313-4d5b-8105-c20aa47abffc",
|
|
"value": "ShadowPad - S0596"
|
|
},
|
|
{
|
|
"description": "[FrozenCell](https://attack.mitre.org/software/S0577) is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and [Micropsia](https://attack.mitre.org/software/S0339).(Citation: Lookout FrozenCell)",
|
|
"meta": {
|
|
"external_id": "S0577",
|
|
"mitre_platforms": [
|
|
"Android"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0577",
|
|
"https://blog.lookout.com/frozencell-mobile-threat"
|
|
],
|
|
"synonyms": [
|
|
"FrozenCell"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3b936a4-6321-4172-9114-038a866362ec",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62",
|
|
"value": "FrozenCell - S0577"
|
|
},
|
|
{
|
|
"description": "[SUPERNOVA](https://attack.mitre.org/software/S0578) is an in-memory web shell written in .NET C#. It was discovered in November 2020 during the investigation of [APT29](https://attack.mitre.org/groups/G0016)'s SolarWinds cyber operation but determined to be unrelated. Subsequent analysis suggests [SUPERNOVA](https://attack.mitre.org/software/S0578) may have been used by the China-based threat group SPIRAL.(Citation: Guidepoint SUPERNOVA Dec 2020)(Citation: Unit42 SUPERNOVA Dec 2020)(Citation: SolarWinds Advisory Dec 2020)(Citation: CISA Supernova Jan 2021)(Citation: Microsoft Analyzing Solorigate Dec 2020)",
|
|
"meta": {
|
|
"external_id": "S0578",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0578",
|
|
"https://unit42.paloaltonetworks.com/solarstorm-supernova/",
|
|
"https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a",
|
|
"https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/",
|
|
"https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/",
|
|
"https://www.solarwinds.com/sa-overview/securityadvisory"
|
|
],
|
|
"synonyms": [
|
|
"SUPERNOVA"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b2b0b946-be0a-4a7f-9c32-a2e5211d1cd9",
|
|
"value": "SUPERNOVA - S0578"
|
|
},
|
|
{
|
|
"description": "[Penquin](https://attack.mitre.org/software/S0587) is a remote access trojan (RAT) with multiple versions used by [Turla](https://attack.mitre.org/groups/G0010) to target Linux systems since at least 2014.(Citation: Kaspersky Turla Penquin December 2014)(Citation: Leonardo Turla Penquin May 2020)",
|
|
"meta": {
|
|
"external_id": "S0587",
|
|
"mitre_platforms": [
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0587",
|
|
"https://securelist.com/the-penquin-turla-2/67962/",
|
|
"https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Penquin",
|
|
"Penquin 2.0",
|
|
"Penquin_x64"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005cc321-08ce-4d17-b1ea-cb5275926520",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "d18cb958-f4ad-4fb3-bb4f-e8994d206550",
|
|
"value": "Penquin - S0587"
|
|
},
|
|
{
|
|
"description": "[GoldFinder](https://attack.mitre.org/software/S0597) is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. [GoldFinder](https://attack.mitre.org/software/S0597) was discovered in early 2021 during an investigation into the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) by [APT29](https://attack.mitre.org/groups/G0016).(Citation: MSTIC NOBELIUM Mar 2021)",
|
|
"meta": {
|
|
"external_id": "S0597",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0597",
|
|
"https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/"
|
|
],
|
|
"synonyms": [
|
|
"GoldFinder"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "b7010785-699f-412f-ba49-524da6033c76",
|
|
"value": "GoldFinder - S0597"
|
|
},
|
|
{
|
|
"description": "[Waterbear](https://attack.mitre.org/software/S0579) is modular malware attributed to [BlackTech](https://attack.mitre.org/groups/G0098) that has been used primarily for lateral movement, decrypting, and triggering payloads and is capable of hiding network behaviors.(Citation: Trend Micro Waterbear December 2019)",
|
|
"meta": {
|
|
"external_id": "S0579",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0579",
|
|
"https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html"
|
|
],
|
|
"synonyms": [
|
|
"Waterbear"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "f3f1fbed-7e29-49cb-8579-4a378f858deb",
|
|
"value": "Waterbear - S0579"
|
|
},
|
|
{
|
|
"description": "[GoldMax](https://attack.mitre.org/software/S0588) is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly identical in functionality. [GoldMax](https://attack.mitre.org/software/S0588) was discovered in early 2021 during the investigation into the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024), and has likely been used by [APT29](https://attack.mitre.org/groups/G0016) since at least mid-2019. [GoldMax](https://attack.mitre.org/software/S0588) uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)(Citation: CrowdStrike StellarParticle January 2022)",
|
|
"meta": {
|
|
"external_id": "S0588",
|
|
"mitre_platforms": [
|
|
"Windows",
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0588",
|
|
"https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/",
|
|
"https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html",
|
|
"https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/"
|
|
],
|
|
"synonyms": [
|
|
"GoldMax",
|
|
"SUNSHUTTLE"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4a2975db-414e-4c0c-bd92-775987514b4b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "5c747acd-47f0-4c5a-b9e5-213541fc01e0",
|
|
"value": "GoldMax - S0588"
|
|
},
|
|
{
|
|
"description": "[Sibot](https://attack.mitre.org/software/S0589) is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three [Sibot](https://attack.mitre.org/software/S0589) variants in early 2021 during its investigation of [APT29](https://attack.mitre.org/groups/G0016) and the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024).(Citation: MSTIC NOBELIUM Mar 2021)",
|
|
"meta": {
|
|
"external_id": "S0589",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0589",
|
|
"https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/"
|
|
],
|
|
"synonyms": [
|
|
"Sibot"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "979adb5a-dc30-48f0-9e3d-9a26d866928c",
|
|
"value": "Sibot - S0589"
|
|
},
|
|
{
|
|
"description": "[Kinsing](https://attack.mitre.org/software/S0599) is Golang-based malware that runs a cryptocurrency miner and attempts to spread itself to other hosts in the victim environment. (Citation: Aqua Kinsing April 2020)(Citation: Sysdig Kinsing November 2020)(Citation: Aqua Security Cloud Native Threat Report June 2021)",
|
|
"meta": {
|
|
"external_id": "S0599",
|
|
"mitre_platforms": [
|
|
"Containers",
|
|
"Linux"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0599",
|
|
"https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability",
|
|
"https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation",
|
|
"https://sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi/"
|
|
],
|
|
"synonyms": [
|
|
"Kinsing"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7b50a1d3-4ca7-45d1-989d-a6503f04bfe1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "d6e55656-e43f-411f-a7af-45df650471c5",
|
|
"value": "Kinsing - S0599"
|
|
},
|
|
{
|
|
"description": "[Gelsemium](https://attack.mitre.org/software/S0666) is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. [Gelsemium](https://attack.mitre.org/software/S0666) has been used by the Gelsemium group since at least 2014.(Citation: ESET Gelsemium June 2021)",
|
|
"meta": {
|
|
"external_id": "S0666",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0666",
|
|
"https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Gelsemium",
|
|
"Gelsevirine",
|
|
"Gelsenicine",
|
|
"Gelsemine"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2de47683-f398-448f-b947-9abcc3e32fad",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "efa7c4d6-8e30-41d9-a8fd-26dc337f4a1b",
|
|
"value": "Gelsemium - S0666"
|
|
},
|
|
{
|
|
"description": "[Chrommme](https://attack.mitre.org/software/S0667) is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was first reported in June 2021; security researchers noted infrastructure overlaps with [Gelsemium](https://attack.mitre.org/software/S0666) malware.(Citation: ESET Gelsemium June 2021)",
|
|
"meta": {
|
|
"external_id": "S0667",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0667",
|
|
"https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf"
|
|
],
|
|
"synonyms": [
|
|
"Chrommme"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "579607c2-d046-40df-99ab-beb479c37a2a",
|
|
"value": "Chrommme - S0667"
|
|
},
|
|
{
|
|
"description": "[QuietSieve](https://attack.mitre.org/software/S0686) is an information stealer that has been used by [Gamaredon Group](https://attack.mitre.org/groups/G0047) since at least 2021.(Citation: Microsoft Actinium February 2022)",
|
|
"meta": {
|
|
"external_id": "S0686",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0686",
|
|
"https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/"
|
|
],
|
|
"synonyms": [
|
|
"QuietSieve"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "03eb4a05-6a02-43f6-afb7-3c7835501828",
|
|
"value": "QuietSieve - S0686"
|
|
},
|
|
{
|
|
"description": "[TinyTurla](https://attack.mitre.org/software/S0668) is a backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010) against targets in the US, Germany, and Afghanistan since at least 2020.(Citation: Talos TinyTurla September 2021)",
|
|
"meta": {
|
|
"external_id": "S0668",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0668",
|
|
"https://blog.talosintelligence.com/2021/09/tinyturla.html"
|
|
],
|
|
"synonyms": [
|
|
"TinyTurla"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "2a7c1bb7-cd12-456e-810d-ab3bf8457bab",
|
|
"value": "TinyTurla - S0668"
|
|
},
|
|
{
|
|
"description": "[KOCTOPUS](https://attack.mitre.org/software/S0669)'s batch variant is loader used by [LazyScripter](https://attack.mitre.org/groups/G0140) since 2018 to launch [Octopus](https://attack.mitre.org/software/S0340) and [Koadic](https://attack.mitre.org/software/S0250) and, in some cases, [QuasarRAT](https://attack.mitre.org/software/S0262). [KOCTOPUS](https://attack.mitre.org/software/S0669) also has a VBA variant that has the same functionality as the batch version.(Citation: MalwareBytes LazyScripter Feb 2021)",
|
|
"meta": {
|
|
"external_id": "S0669",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0669",
|
|
"https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf"
|
|
],
|
|
"synonyms": [
|
|
"KOCTOPUS"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d2c4e5ea-dbdf-4113-805a-b1e2a337fb33",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "df9b350b-d4f9-4e79-a826-75cc75fbc1eb",
|
|
"value": "KOCTOPUS - S0669"
|
|
},
|
|
{
|
|
"description": "[Flagpro](https://attack.mitre.org/software/S0696) is a Windows-based, first-stage downloader that has been used by [BlackTech](https://attack.mitre.org/groups/G0098) since at least October 2020. It has primarily been used against defense, media, and communications companies in Japan.(Citation: NTT Security Flagpro new December 2021) ",
|
|
"meta": {
|
|
"external_id": "S0696",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0696",
|
|
"https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech"
|
|
],
|
|
"synonyms": [
|
|
"Flagpro"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "592260fb-dd5c-4a30-8d99-106a0485be0d",
|
|
"value": "Flagpro - S0696"
|
|
},
|
|
{
|
|
"description": "[Torisma](https://attack.mitre.org/software/S0678) is a second stage implant designed for specialized monitoring that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032). [Torisma](https://attack.mitre.org/software/S0678) was discovered during an investigation into the 2020 Operation North Star campaign that targeted the defense sector.(Citation: McAfee Lazarus Nov 2020)",
|
|
"meta": {
|
|
"external_id": "S0678",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0678",
|
|
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/"
|
|
],
|
|
"synonyms": [
|
|
"Torisma"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "0715560d-4299-4e84-9e20-6e80ab57e4f2",
|
|
"value": "Torisma - S0678"
|
|
},
|
|
{
|
|
"description": "[Ferocious](https://attack.mitre.org/software/S0679) is a first stage implant composed of VBS and PowerShell scripts that has been used by [WIRTE](https://attack.mitre.org/groups/G0090) since at least 2021.(Citation: Kaspersky WIRTE November 2021)",
|
|
"meta": {
|
|
"external_id": "S0679",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0679",
|
|
"https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044"
|
|
],
|
|
"synonyms": [
|
|
"Ferocious"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "73d08401-005f-4e1f-90b9-8f45d120879f",
|
|
"value": "Ferocious - S0679"
|
|
},
|
|
{
|
|
"description": "[HermeticWiper](https://attack.mitre.org/software/S0697) is a data wiper that has been used since at least early 2022, primarily against Ukraine with additional activity observed in Latvia and Lithuania. Some sectors targeted include government, financial, defense, aviation, and IT services.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Symantec Ukraine Wipers February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wiper February 2022)(Citation: Qualys Hermetic Wiper March 2022)",
|
|
"meta": {
|
|
"external_id": "S0697",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0697",
|
|
"https://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware",
|
|
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia",
|
|
"https://www.cisa.gov/uscert/ncas/alerts/aa22-057a",
|
|
"https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/",
|
|
"https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine",
|
|
"https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack",
|
|
"https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine"
|
|
],
|
|
"synonyms": [
|
|
"HermeticWiper",
|
|
"Trojan.Killdisk",
|
|
"DriveSlayer"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "a0ab8a96-40c9-4483-8a54-3fafa6d6007a",
|
|
"value": "HermeticWiper - S0697"
|
|
},
|
|
{
|
|
"description": "[Meteor](https://attack.mitre.org/software/S0688) is a wiper that was used against Iranian government organizations, including Iranian Railways, the Ministry of Roads, and Urban Development systems, in July 2021. [Meteor](https://attack.mitre.org/software/S0688) is likely a newer version of similar wipers called Stardust and Comet that were reportedly used by a group called \"Indra\" since at least 2019 against private companies in Syria.(Citation: Check Point Meteor Aug 2021)",
|
|
"meta": {
|
|
"external_id": "S0688",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0688",
|
|
"https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"
|
|
],
|
|
"synonyms": [
|
|
"Meteor"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "d79e7a60-5de9-448e-a074-f95d2d80f8d0",
|
|
"value": "Meteor - S0688"
|
|
},
|
|
{
|
|
"description": "[WhisperGate](https://attack.mitre.org/software/S0689) is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.(Citation: Cybereason WhisperGate February 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Microsoft WhisperGate January 2022)",
|
|
"meta": {
|
|
"external_id": "S0689",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0689",
|
|
"https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/#whispergate-malware-family",
|
|
"https://www.cybereason.com/blog/cybereason-vs.-whispergate-wiper",
|
|
"https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"
|
|
],
|
|
"synonyms": [
|
|
"WhisperGate"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2cd950a6-16c4-404a-aa01-044322395107",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "49fee0b0-390e-4bde-97f8-97ed46bd19b7",
|
|
"value": "WhisperGate - S0689"
|
|
},
|
|
{
|
|
"description": "[HermeticWizard](https://attack.mitre.org/software/S0698) is a worm that has been used to spread [HermeticWiper](https://attack.mitre.org/software/S0697) in attacks against organizations in Ukraine since at least 2022.(Citation: ESET Hermetic Wizard March 2022)",
|
|
"meta": {
|
|
"external_id": "S0698",
|
|
"mitre_platforms": [
|
|
"Windows"
|
|
],
|
|
"refs": [
|
|
"https://attack.mitre.org/software/S0698",
|
|
"https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine"
|
|
],
|
|
"synonyms": [
|
|
"HermeticWizard"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
|
"type": "uses"
|
|
},
|
|
{
|
|
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
|
"type": "uses"
|
|
}
|
|
],
|
|
"uuid": "ff7ed9c1-dca3-4e62-9da6-72c5d388b8fa",
|
|
"value": "HermeticWizard - S0698"
|
|
}
|
|
],
|
|
"version": 32
|
|
} |