Malware
Name of ATT&CK software
Authors
Authors and/or Contributors |
---|
MITRE |
Hacking Team UEFI Rootkit - S0047
Hacking Team UEFI Rootkit is a rootkit developed by the company Hacking Team as a method of persistence for remote access software. (Citation: TrendMicro Hacking Team UEFI)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hacking Team UEFI Rootkit - S0047.
Known Synonyms |
---|
Hacking Team UEFI Rootkit |
Internal MISP references
UUID 4b62ab58-c23b-4704-9c15-edd568cd59f8
which can be used as unique global reference for Hacking Team UEFI Rootkit - S0047
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0047 |
Related clusters
To see the related clusters, click here.
X-Agent for Android - S0314
X-Agent for Android is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the CHOPSTICK.
Internal MISP references
UUID 56660521-6db4-4e5a-a927-464f22954b7c
which can be used as unique global reference for X-Agent for Android - S0314
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0314 |
Related clusters
To see the related clusters, click here.
Red Alert 2.0 - S0539
Red Alert 2.0 is a banking trojan that masquerades as a VPN client.(Citation: Sophos Red Alert 2.0)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Red Alert 2.0 - S0539.
Known Synonyms |
---|
Red Alert 2.0 |
Internal MISP references
UUID 6e282bbf-5f32-476a-b879-ba77eec463c8
which can be used as unique global reference for Red Alert 2.0 - S0539
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0539 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
Exaramel for Linux - S0401
Exaramel for Linux is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under Exaramel for Windows.(Citation: ESET TeleBots Oct 2018)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Exaramel for Linux - S0401.
Known Synonyms |
---|
Exaramel for Linux |
Internal MISP references
UUID 11194d8b-fdce-45d2-8047-df15bb8f16bd
which can be used as unique global reference for Exaramel for Linux - S0401
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0401 |
mitre_platforms | ['Linux'] |
Related clusters
To see the related clusters, click here.
Winnti for Linux - S0430
Winnti for Linux is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including Winnti Group. The Windows variant is tracked separately under Winnti for Windows.(Citation: Chronicle Winnti for Linux May 2019)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Winnti for Linux - S0430.
Known Synonyms |
---|
Winnti for Linux |
Internal MISP references
UUID 8787e86d-8475-4f13-acea-d33eb83b6105
which can be used as unique global reference for Winnti for Linux - S0430
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0430 |
mitre_platforms | ['Linux'] |
Related clusters
To see the related clusters, click here.
XLoader for iOS - S0490
XLoader for iOS is a malicious iOS application that is capable of gathering system information.(Citation: TrendMicro-XLoader-FakeSpy) It is tracked separately from the XLoader for Android.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XLoader for iOS - S0490.
Known Synonyms |
---|
XLoader for iOS |
Internal MISP references
UUID 29944858-da52-4d3d-b428-f8a6eb8dde6f
which can be used as unique global reference for XLoader for iOS - S0490
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0490 |
mitre_platforms | ['iOS'] |
Related clusters
To see the related clusters, click here.
Winnti for Windows - S0141
Winnti for Windows is a modular remote access Trojan (RAT) that has been used likely by multiple groups to carry out intrusions in various regions since at least 2010, including by one group referred to as the same name, Winnti Group.(Citation: Kaspersky Winnti April 2013)(Citation: Microsoft Winnti Jan 2017)(Citation: Novetta Winnti April 2015)(Citation: 401 TRG Winnti Umbrella May 2018). The Linux variant is tracked separately under Winnti for Linux.(Citation: Chronicle Winnti for Linux May 2019)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Winnti for Windows - S0141.
Known Synonyms |
---|
Winnti for Windows |
Internal MISP references
UUID d3afa961-a80c-4043-9509-282cdf69ab21
which can be used as unique global reference for Winnti for Windows - S0141
in MISP communities and other software using the MISP galaxy
External references
- https://401trg.github.io/pages/burning-umbrella.html - webarchive
- https://attack.mitre.org/software/S0141 - webarchive
- https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/ - webarchive
- https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a - webarchive
- https://securelist.com/winnti-more-than-just-a-game/37029/ - webarchive
- https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0141 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Pegasus for Android - S0316
Pegasus for Android is the Android version of malware that has reportedly been linked to the NSO Group. (Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor) The iOS version is tracked separately under Pegasus for iOS.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pegasus for Android - S0316.
Known Synonyms |
---|
Chrysaor |
Pegasus for Android |
Internal MISP references
UUID 93799a9d-3537-43d8-b6f4-17215de1657c
which can be used as unique global reference for Pegasus for Android - S0316
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0316 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
XLoader for Android - S0318
XLoader for Android is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.(Citation: TrendMicro-XLoader-FakeSpy)(Citation: TrendMicro-XLoader) It is tracked separately from the XLoader for iOS.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XLoader for Android - S0318.
Known Synonyms |
---|
XLoader for Android |
Internal MISP references
UUID 2740eaf6-2db2-4a40-a63f-f5b166c7059c
which can be used as unique global reference for XLoader for Android - S0318
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0318 - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/ - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0318 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
Pegasus for iOS - S0289
Pegasus for iOS is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims.(Citation: Lookout-Pegasus)(Citation: PegasusCitizenLab) The Android version is tracked separately under Pegasus for Android.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pegasus for iOS - S0289.
Known Synonyms |
---|
Pegasus for iOS |
Internal MISP references
UUID 33d9d91d-aad9-49d5-a516-220ce101ac8a
which can be used as unique global reference for Pegasus for iOS - S0289
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0289 |
mitre_platforms | ['iOS'] |
Related clusters
To see the related clusters, click here.
Exaramel for Windows - S0343
Exaramel for Windows is a backdoor used for targeting Windows systems. The Linux version is tracked separately under Exaramel for Linux.(Citation: ESET TeleBots Oct 2018)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Exaramel for Windows - S0343.
Known Synonyms |
---|
Exaramel for Windows |
Internal MISP references
UUID 051eaca1-958f-4091-9e5f-a9acd8f820b5
which can be used as unique global reference for Exaramel for Windows - S0343
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0343 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
P.A.S. Webshell - S0598
P.A.S. Webshell is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.(Citation: ANSSI Sandworm January 2021)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular P.A.S. Webshell - S0598.
Known Synonyms |
---|
Fobushell |
P.A.S. Webshell |
Internal MISP references
UUID 4800d0f9-00aa-47cd-a4d2-92198585b8fd
which can be used as unique global reference for P.A.S. Webshell - S0598
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0598 |
mitre_platforms | ['Linux', 'Windows'] |
Related clusters
To see the related clusters, click here.
gh0st RAT - S0032
gh0st RAT is a remote access tool (RAT). The source code is public and it has been used by multiple groups.(Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb 2018)(Citation: Nccgroup Gh0st April 2018)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular gh0st RAT - S0032.
Known Synonyms |
---|
Moudoor |
Mydoor |
gh0st RAT |
Internal MISP references
UUID 88c621a7-aef9-4ae0-94e3-1fc87123eb24
which can be used as unique global reference for gh0st RAT - S0032
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0032 - webarchive
- https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/ - webarchive
- https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf - webarchive
- https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/ - webarchive
- https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0032 |
mitre_platforms | ['Windows', 'macOS'] |
Related clusters
To see the related clusters, click here.
China Chopper - S0020
China Chopper is a Web Shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server.(Citation: Lee 2013) It has been used by several threat groups.(Citation: Dell TG-3390)(Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)(Citation: Rapid7 HAFNIUM Mar 2021)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular China Chopper - S0020.
Known Synonyms |
---|
China Chopper |
Internal MISP references
UUID 5a3a31fe-5a8f-48e1-bff0-a753e5b1be70
which can be used as unique global reference for China Chopper - S0020
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0020 - webarchive
- https://us-cert.cisa.gov/ncas/alerts/aa21-200a - webarchive
- https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html - webarchive
- https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html - webarchive
- https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/ - webarchive
- https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0020 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Skeleton Key - S0007
Skeleton Key is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password. (Citation: Dell Skeleton) Functionality similar to Skeleton Key is included as a module in Mimikatz.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Skeleton Key - S0007.
Known Synonyms |
---|
Skeleton Key |
Internal MISP references
UUID 89f63ae4-f229-4a5c-95ad-6f22ed2b5c49
which can be used as unique global reference for Skeleton Key - S0007
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0007 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
P2P ZeuS - S0016
P2P ZeuS is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture. (Citation: Dell P2P ZeuS)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular P2P ZeuS - S0016.
Known Synonyms |
---|
Gameover ZeuS |
P2P ZeuS |
Peer-to-Peer ZeuS |
Internal MISP references
UUID b2c5d3ca-b43a-4888-ad8d-e2d43497bf85
which can be used as unique global reference for P2P ZeuS - S0016
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0016 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Unknown Logger - S0130
Unknown Logger is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign. (Citation: Forcepoint Monsoon)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Unknown Logger - S0130.
Known Synonyms |
---|
Unknown Logger |
Internal MISP references
UUID ab3580c8-8435-4117-aace-3d9fbe46aa56
which can be used as unique global reference for Unknown Logger - S0130
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0130 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Black Basta - S1070
Black Basta is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and VMWare ESXi servers. Black Basta operations have included the double extortion technique where in addition to demanding ransom for decrypting the files of targeted organizations the cyber actors also threaten to post sensitive information to a leak site if the ransom is not paid. Black Basta affiliates have targeted multiple high-value organizations, with the largest number of victims based in the U.S. Based on similarities in TTPs, leak sites, payment sites, and negotiation tactics, security researchers assess the Black Basta RaaS operators could include current or former members of the Conti group.(Citation: Palo Alto Networks Black Basta August 2022)(Citation: Deep Instinct Black Basta August 2022)(Citation: Minerva Labs Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Cyble Black Basta May 2022)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Black Basta - S1070.
Known Synonyms |
---|
Black Basta |
Internal MISP references
UUID 8d242fb4-9033-4f13-8a88-4b9b4bcd9a53
which can be used as unique global reference for Black Basta - S1070
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S1070 - webarchive
- https://blog.cyble.com/2022/05/06/black-basta-ransomware/ - webarchive
- https://minerva-labs.com/blog/new-black-basta-ransomware-hijacks-windows-fax-service/ - webarchive
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ - webarchive
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware - webarchive
- https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware - webarchive
- https://www.deepinstinct.com/blog/black-basta-ransomware-threat-emergence - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S1070 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Cherry Picker - S0107
Cherry Picker is a point of sale (PoS) memory scraper. (Citation: Trustwave Cherry Picker)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cherry Picker - S0107.
Known Synonyms |
---|
Cherry Picker |
Internal MISP references
UUID b2203c59-4089-4ee4-bfe1-28fa25f0dbfe
which can be used as unique global reference for Cherry Picker - S0107
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0107 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Zeus Panda - S0330
Zeus Panda is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. Zeus Panda’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zeus Panda - S0330.
Known Synonyms |
---|
Zeus Panda |
Internal MISP references
UUID 198db886-47af-4f4c-bff5-11b891f85946
which can be used as unique global reference for Zeus Panda - S0330
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0330 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
SpyNote RAT - S0305
SpyNote RAT (Remote Access Trojan) is a family of malicious Android apps. The SpyNote RAT builder tool can be used to develop malicious apps with the malware's functionality. (Citation: Zscaler-SpyNote)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SpyNote RAT - S0305.
Known Synonyms |
---|
SpyNote RAT |
Internal MISP references
UUID 20dbaf05-59b8-4dc6-8777-0b17f4553a23
which can be used as unique global reference for SpyNote RAT - S0305
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0305 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
3PARA RAT - S0066
3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda. (Citation: CrowdStrike Putter Panda)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular 3PARA RAT - S0066.
Known Synonyms |
---|
3PARA RAT |
Internal MISP references
UUID 7bec698a-7e20-4fd3-bb6a-12787770fb1a
which can be used as unique global reference for 3PARA RAT - S0066
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0066 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Agent Smith - S0440
Agent Smith is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 Agent Smith had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.(Citation: CheckPoint Agent Smith)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Agent Smith - S0440.
Known Synonyms |
---|
Agent Smith |
Internal MISP references
UUID a6228601-03f6-4949-ae22-c1087627a637
which can be used as unique global reference for Agent Smith - S0440
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0440 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
4H RAT - S0065
4H RAT is malware that has been used by Putter Panda since at least 2007. (Citation: CrowdStrike Putter Panda)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular 4H RAT - S0065.
Known Synonyms |
---|
4H RAT |
Internal MISP references
UUID 8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc
which can be used as unique global reference for 4H RAT - S0065
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0065 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Desert Scorpion - S0505
Desert Scorpion is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. Desert Scorpion is suspected to have been operated by the threat actor APT-C-23.(Citation: Lookout Desert Scorpion)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Desert Scorpion - S0505.
Known Synonyms |
---|
Desert Scorpion |
Internal MISP references
UUID 3271c107-92c4-442e-9506-e76d62230ee8
which can be used as unique global reference for Desert Scorpion - S0505
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0505 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
Net Crawler - S0056
Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler. (Citation: Cylance Cleaver)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Net Crawler - S0056.
Known Synonyms |
---|
Net Crawler |
NetC |
Internal MISP references
UUID fde50aaa-f5de-4cb8-989a-babb57d6a704
which can be used as unique global reference for Net Crawler - S0056
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0056 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Bad Rabbit - S0606
Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. (Citation: Secure List Bad Rabbit)(Citation: ESET Bad Rabbit)(Citation: Dragos IT ICS Ransomware)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bad Rabbit - S0606.
Known Synonyms |
---|
Bad Rabbit |
Win32/Diskcoder.D |
Internal MISP references
UUID 2eaa5319-5e1e-4dd7-bbc4-566fced3964a
which can be used as unique global reference for Bad Rabbit - S0606
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0606 - webarchive
- https://securelist.com/bad-rabbit-ransomware/82851/ - webarchive
- https://www.dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/ - webarchive
- https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0606 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Green Lambert - S0690
Green Lambert is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of Green Lambert may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.(Citation: Kaspersky Lamberts Toolkit April 2017)(Citation: Objective See Green Lambert for OSX Oct 2021)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Green Lambert - S0690.
Known Synonyms |
---|
Green Lambert |
Internal MISP references
UUID 59c8a28c-200c-4565-9af1-cbdb24870ba0
which can be used as unique global reference for Green Lambert - S0690
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0690 |
mitre_platforms | ['Windows', 'iOS', 'macOS', 'Linux'] |
Related clusters
To see the related clusters, click here.
Saint Bot - S1018
Saint Bot is a .NET downloader that has been used by Ember Bear since at least March 2021.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Internal MISP references
UUID 7724581b-06ff-4d2b-b77c-80dc8d53070b
which can be used as unique global reference for Saint Bot - S1018
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S1018 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Heyoka Backdoor - S1027
Heyoka Backdoor is a custom backdoor--based on the Heyoka open source exfiltration tool--that has been used by Aoqin Dragon since at least 2013.(Citation: SentinelOne Aoqin Dragon June 2022)(Citation: Sourceforge Heyoka 2022)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Heyoka Backdoor - S1027.
Known Synonyms |
---|
Heyoka Backdoor |
Internal MISP references
UUID dff90475-9f72-41a6-84ed-1fbefd3874c0
which can be used as unique global reference for Heyoka Backdoor - S1027
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S1027 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Action RAT - S1028
Action RAT is a remote access tool written in Delphi that has been used by SideCopy since at least December 2021 against Indian and Afghani government personnel.(Citation: MalwareBytes SideCopy Dec 2021)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Action RAT - S1028.
Known Synonyms |
---|
Action RAT |
Internal MISP references
UUID 36801ffb-5c85-4c50-9121-6122e389366d
which can be used as unique global reference for Action RAT - S1028
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S1028 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
AutoIt backdoor - S0129
AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. (Citation: Forcepoint Monsoon) This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AutoIt backdoor - S0129.
Known Synonyms |
---|
AutoIt backdoor |
Internal MISP references
UUID f5352566-1a64-49ac-8f7f-97e1d1a03300
which can be used as unique global reference for AutoIt backdoor - S0129
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0129 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
AuTo Stealer - S1029
AuTo Stealer is malware written in C++ has been used by SideCopy since at least December 2021 to target government agencies and personnel in India and Afghanistan.(Citation: MalwareBytes SideCopy Dec 2021)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AuTo Stealer - S1029.
Known Synonyms |
---|
AuTo Stealer |
Internal MISP references
UUID 3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5
which can be used as unique global reference for AuTo Stealer - S1029
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S1029 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Agent Tesla - S0331
Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014.(Citation: Fortinet Agent Tesla April 2018)(Citation: Bitdefender Agent Tesla April 2020)(Citation: Malwarebytes Agent Tesla April 2020)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Agent Tesla - S0331.
Known Synonyms |
---|
Agent Tesla |
Internal MISP references
UUID e7a5229f-05eb-440e-b982-9a6d2b2b87c8
which can be used as unique global reference for Agent Tesla - S0331
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0331 - webarchive
- https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/ - webarchive
- https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html - webarchive
- https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/ - webarchive
- https://www.digitrustgroup.com/agent-tesla-keylogger/ - webarchive
- https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0331 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Small Sieve - S1035
Small Sieve is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft Scriptable Install System (NSIS) Installer; it has been used by MuddyWater since at least January 2022.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: NCSC GCHQ Small Sieve Jan 2022)
Security researchers have also noted Small Sieve's use by UNC3313, which may be associated with MuddyWater.(Citation: Mandiant UNC3313 Feb 2022)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Small Sieve - S1035.
Known Synonyms |
---|
GRAMDOOR |
Small Sieve |
Internal MISP references
UUID ff41b9b6-4c1d-407b-a7e2-835109c8dbc5
which can be used as unique global reference for Small Sieve - S1035
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S1035 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Cobalt Strike - S0154
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.(Citation: cobaltstrike manual)
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.(Citation: cobaltstrike manual)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cobalt Strike - S0154.
Known Synonyms |
---|
Cobalt Strike |
Internal MISP references
UUID a7881f21-e978-4fe4-af56-92c9416a2616
which can be used as unique global reference for Cobalt Strike - S0154
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0154 |
mitre_platforms | ['Windows', 'Linux', 'macOS'] |
Related clusters
To see the related clusters, click here.
Ragnar Locker - S0481
Ragnar Locker is a ransomware that has been in use since at least December 2019.(Citation: Sophos Ragnar May 2020)(Citation: Cynet Ragnar Apr 2020)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ragnar Locker - S0481.
Known Synonyms |
---|
Ragnar Locker |
Internal MISP references
UUID 54895630-efd2-4608-9c24-319de972a9eb
which can be used as unique global reference for Ragnar Locker - S0481
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0481 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Woody RAT - S1065
Woody RAT is a remote access trojan (RAT) that has been used since at least August 2021 against Russian organizations.(Citation: MalwareBytes WoodyRAT Aug 2022)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Woody RAT - S1065.
Known Synonyms |
---|
Woody RAT |
Internal MISP references
UUID 3bc7e862-5610-4c02-9c48-15b2e2dc1ddb
which can be used as unique global reference for Woody RAT - S1065
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S1065 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
SYNful Knock - S0519
SYNful Knock is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.(Citation: Mandiant - Synful Knock)(Citation: Cisco Synful Knock Evolution)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SYNful Knock - S0519.
Known Synonyms |
---|
SYNful Knock |
Internal MISP references
UUID 84c1ecc6-e5a2-4e8a-bf4b-651a618e0053
which can be used as unique global reference for SYNful Knock - S0519
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0519 |
mitre_platforms | ['Network'] |
Related clusters
To see the related clusters, click here.
Power Loader - S0177
Power Loader is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)
Internal MISP references
UUID 0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3
which can be used as unique global reference for Power Loader - S0177
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0177 |
Related clusters
To see the related clusters, click here.
HUI Loader - S1097
HUI Loader is a custom DLL loader that has been used since at least 2015 by China-based threat groups including Cinnamon Tempest and menuPass to deploy malware on compromised hosts. HUI Loader has been observed in campaigns loading SodaMaster, PlugX, Cobalt Strike, Komplex, and several strains of ransomware.(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HUI Loader - S1097.
Known Synonyms |
---|
HUI Loader |
Internal MISP references
UUID 54089fba-8662-4f37-9a44-6ad25a5f630a
which can be used as unique global reference for HUI Loader - S1097
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S1097 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Brave Prince - S0252
Brave Prince is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to Gold Dragon, and was seen along with Gold Dragon and RunningRAT in operations surrounding the 2018 Pyeongchang Winter Olympics. (Citation: McAfee Gold Dragon)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Brave Prince - S0252.
Known Synonyms |
---|
Brave Prince |
Internal MISP references
UUID 28b97733-ef07-4414-aaa5-df50b2d30cc5
which can be used as unique global reference for Brave Prince - S0252
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0252 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Smoke Loader - S0226
Smoke Loader is a malicious bot application that can be used to load other malware. Smoke Loader has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. (Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Smoke Loader - S0226.
Known Synonyms |
---|
Dofoil |
Smoke Loader |
Internal MISP references
UUID 0c824410-58ff-49b2-9cf2-1c96b182bdf0
which can be used as unique global reference for Smoke Loader - S0226
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0226 - webarchive
- https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/ - webarchive
- https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0226 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Linux Rabbit - S0362
Linux Rabbit is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.(Citation: Anomali Linux Rabbit 2018)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Linux Rabbit - S0362.
Known Synonyms |
---|
Linux Rabbit |
Internal MISP references
UUID 0efefea5-78da-4022-92bc-d726139e8883
which can be used as unique global reference for Linux Rabbit - S0362
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0362 |
mitre_platforms | ['Linux'] |
Related clusters
To see the related clusters, click here.
Stealth Mango - S0328
Stealth Mango is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as Tangelo is believed to be from the same developer. (Citation: Lookout-StealthMango)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Stealth Mango - S0328.
Known Synonyms |
---|
Stealth Mango |
Internal MISP references
UUID 085eb36d-697d-4d9a-bac3-96eb879fe73c
which can be used as unique global reference for Stealth Mango - S0328
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0328 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
Corona Updates - S0425
Corona Updates is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.(Citation: TrendMicro Coronavirus Updates)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Corona Updates - S0425.
Known Synonyms |
---|
Concipit1248 |
Corona Updates |
Wabi Music |
Internal MISP references
UUID 366c800f-97a8-48d5-b0a6-79d00198252a
which can be used as unique global reference for Corona Updates - S0425
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0425 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
Gold Dragon - S0249
Gold Dragon is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. Gold Dragon was used along with Brave Prince and RunningRAT in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. (Citation: McAfee Gold Dragon)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gold Dragon - S0249.
Known Synonyms |
---|
Gold Dragon |
Internal MISP references
UUID b9799466-9dd7-4098-b2d6-f999ce50b9a8
which can be used as unique global reference for Gold Dragon - S0249
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0249 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Caterpillar WebShell - S0572
Caterpillar WebShell is a self-developed Web Shell tool created by the group Volatile Cedar.(Citation: ClearSky Lebanese Cedar Jan 2021)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Caterpillar WebShell - S0572.
Known Synonyms |
---|
Caterpillar WebShell |
Internal MISP references
UUID 751b77e6-af1f-483b-93fe-eddf17f92a64
which can be used as unique global reference for Caterpillar WebShell - S0572
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0572 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Cobian RAT - S0338
Cobian RAT is a backdoor, remote access tool that has been observed since 2016.(Citation: Zscaler Cobian Aug 2017)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cobian RAT - S0338.
Known Synonyms |
---|
Cobian RAT |
Internal MISP references
UUID aa1462a1-d065-416c-b354-bedd04998c7f
which can be used as unique global reference for Cobian RAT - S0338
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0338 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Cardinal RAT - S0348
Cardinal RAT is a potentially low volume remote access trojan (RAT) observed since December 2015. Cardinal RAT is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.(Citation: PaloAlto CardinalRat Apr 2017)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cardinal RAT - S0348.
Known Synonyms |
---|
Cardinal RAT |
Internal MISP references
UUID b879758f-bbc4-4cab-b5ba-177ac9b009b4
which can be used as unique global reference for Cardinal RAT - S0348
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0348 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Golden Cup - S0535
Golden Cup is Android spyware that has been used to target World Cup fans.(Citation: Symantec GoldenCup)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Golden Cup - S0535.
Known Synonyms |
---|
Golden Cup |
Internal MISP references
UUID f3975cc0-72bc-4308-836e-ac701b83860e
which can be used as unique global reference for Golden Cup - S0535
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0535 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
Olympic Destroyer - S0365
Olympic Destroyer is malware that was used by Sandworm Team against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to render infected computer systems inoperable. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. Olympic Destroyer has worm-like features to spread itself across a computer network in order to maximize its destructive impact.(Citation: Talos Olympic Destroyer 2018)(Citation: US District Court Indictment GRU Unit 74455 October 2020)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Olympic Destroyer - S0365.
Known Synonyms |
---|
Olympic Destroyer |
Internal MISP references
UUID 3249e92a-870b-426d-8790-ba311c1abfb4
which can be used as unique global reference for Olympic Destroyer - S0365
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0365 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Revenge RAT - S0379
Revenge RAT is a freely available remote access tool written in .NET (C#).(Citation: Cylance Shaheen Nov 2018)(Citation: Cofense RevengeRAT Feb 2019)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Revenge RAT - S0379.
Known Synonyms |
---|
Revenge RAT |
Internal MISP references
UUID bdb27a1d-1844-42f1-a0c0-826027ae0326
which can be used as unique global reference for Revenge RAT - S0379
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0379 - webarchive
- https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/ - webarchive
- https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0379 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Rising Sun - S0448
Rising Sun is a modular backdoor that was used extensively in Operation Sharpshooter between 2017 and 2019. Rising Sun infected at least 87 organizations around the world, including nuclear, defense, energy, and financial service companies. Security researchers assessed Rising Sun included some source code from Lazarus Group's Trojan Duuzer.(Citation: McAfee Sharpshooter December 2018)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rising Sun - S0448.
Known Synonyms |
---|
Rising Sun |
Internal MISP references
UUID 56e6b6c2-e573-4969-8bab-783205cebbbf
which can be used as unique global reference for Rising Sun - S0448
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0448 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
JSS Loader - S0648
JSS Loader is Remote Access Trojan (RAT) with .NET and C++ variants that has been used by FIN7 since at least 2020.(Citation: eSentire FIN7 July 2021)(Citation: CrowdStrike Carbon Spider August 2021)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular JSS Loader - S0648.
Known Synonyms |
---|
JSS Loader |
Internal MISP references
UUID f559f945-eb8b-48b1-904c-68568deebed3
which can be used as unique global reference for JSS Loader - S0648
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0648 - webarchive
- https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/ - webarchive
- https://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0648 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
DEFENSOR ID - S0479
DEFENSOR ID is a banking trojan capable of clearing a victim’s bank account or cryptocurrency wallet and taking over email or social media accounts. DEFENSOR ID performs the majority of its malicious functionality by abusing Android’s accessibility service.(Citation: ESET DEFENSOR ID)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DEFENSOR ID - S0479.
Known Synonyms |
---|
DEFENSOR ID |
Internal MISP references
UUID 5a5dca4c-03c1-4b99-bfcf-c206e20aa663
which can be used as unique global reference for DEFENSOR ID - S0479
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0479 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
Tiktok Pro - S0558
Tiktok Pro is spyware that has been masquerading as the TikTok application.(Citation: Zscaler TikTok Spyware)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tiktok Pro - S0558.
Known Synonyms |
---|
Tiktok Pro |
Internal MISP references
UUID c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0
which can be used as unique global reference for Tiktok Pro - S0558
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0558 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
Cyclops Blink - S0687
Cyclops Blink is a modular malware that has been used in widespread campaigns by Sandworm Team since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus.(Citation: NCSC Cyclops Blink February 2022)(Citation: NCSC CISA Cyclops Blink Advisory February 2022)(Citation: Trend Micro Cyclops Blink March 2022)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cyclops Blink - S0687.
Known Synonyms |
---|
Cyclops Blink |
Internal MISP references
UUID b350b47f-88fe-4921-8538-6d9c59bac84e
which can be used as unique global reference for Cyclops Blink - S0687
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0687 - webarchive
- https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf - webarchive
- https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter - webarchive
- https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0687 |
mitre_platforms | ['Network'] |
Related clusters
To see the related clusters, click here.
Trojan-SMS.AndroidOS.FakeInst.a - S0306
Trojan-SMS.AndroidOS.FakeInst.a is Android malware. (Citation: Kaspersky-MobileMalware)
Internal MISP references
UUID 28e39395-91e7-4f02-b694-5e079c964da9
which can be used as unique global reference for Trojan-SMS.AndroidOS.FakeInst.a - S0306
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0306 |
Related clusters
To see the related clusters, click here.
Trojan-SMS.AndroidOS.Agent.ao - S0307
Trojan-SMS.AndroidOS.Agent.ao is Android malware. (Citation: Kaspersky-MobileMalware)
Internal MISP references
UUID a1867c56-8c86-455a-96ad-b0d5f7e2bc17
which can be used as unique global reference for Trojan-SMS.AndroidOS.Agent.ao - S0307
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0307 |
Related clusters
To see the related clusters, click here.
Trojan-SMS.AndroidOS.OpFake.a - S0308
Trojan-SMS.AndroidOS.OpFake.a is Android malware. (Citation: Kaspersky-MobileMalware)
Internal MISP references
UUID d89c132d-7752-4c7f-9372-954a71522985
which can be used as unique global reference for Trojan-SMS.AndroidOS.OpFake.a - S0308
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0308 |
Related clusters
To see the related clusters, click here.
Mis-Type - S0084
Mis-Type is a backdoor hybrid that was used in Operation Dust Storm by 2012.(Citation: Cylance Dust Storm)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mis-Type - S0084.
Known Synonyms |
---|
Mis-Type |
Internal MISP references
UUID e1161124-f22e-487f-9d5f-ed8efc8dcd61
which can be used as unique global reference for Mis-Type - S0084
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0084 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
S-Type - S0085
S-Type is a backdoor that was used in Operation Dust Storm since at least 2013.(Citation: Cylance Dust Storm)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular S-Type - S0085.
Known Synonyms |
---|
S-Type |
Internal MISP references
UUID 66b1dcde-17a0-4c7b-95fa-b08d430c2131
which can be used as unique global reference for S-Type - S0085
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0085 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Hi-Zor - S0087
Hi-Zor is a remote access tool (RAT) that has characteristics similar to Sakula. It was used in a campaign named INOCNATION. (Citation: Fidelis Hi-Zor)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hi-Zor - S0087.
Known Synonyms |
---|
Hi-Zor |
Internal MISP references
UUID 5967cc93-57c9-404a-8ffd-097edfa7bdfc
which can be used as unique global reference for Hi-Zor - S0087
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0087 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Miner-C - S0133
Miner-C is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread. (Citation: Softpedia MinerC)
Internal MISP references
UUID 17dec760-9c8f-4f1b-9b4b-0ac47a453234
which can be used as unique global reference for Miner-C - S0133
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0133 |
Related clusters
To see the related clusters, click here.
Seth-Locker - S0639
Seth-Locker is a ransomware with some remote control capabilities that has been in use since at least 2021. (Citation: Trend Micro Ransomware February 2021)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Seth-Locker - S0639.
Known Synonyms |
---|
Seth-Locker |
Internal MISP references
UUID f931a0b9-0361-4b1b-bacf-955062c35746
which can be used as unique global reference for Seth-Locker - S0639
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0639 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Aria-body - S0456
Aria-body is a custom backdoor that has been used by Naikon since approximately 2017.(Citation: CheckPoint Naikon May 2020)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Aria-body - S0456.
Known Synonyms |
---|
Aria-body |
Internal MISP references
UUID 3161d76a-e2b2-4b97-9906-24909b735386
which can be used as unique global reference for Aria-body - S0456
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0456 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
S.O.V.A. - S1062
S.O.V.A. is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. S.O.V.A., which is Russian for "owl", contains features not commonly found in Android malware, such as session cookie theft.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular S.O.V.A. - S1062.
Known Synonyms |
---|
S.O.V.A. |
Internal MISP references
UUID 4b53eb01-57d7-47b4-b078-22766b002b36
which can be used as unique global reference for S.O.V.A. - S1062
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S1062 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
Android/Chuli.A - S0304
Android/Chuli.A is Android malware that was delivered to activist groups via a spearphishing email with an attachment. (Citation: Kaspersky-WUC)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Android/Chuli.A - S0304.
Known Synonyms |
---|
Android/Chuli.A |
Internal MISP references
UUID d05f7357-4cbe-47ea-bf83-b8604226d533
which can be used as unique global reference for Android/Chuli.A - S0304
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0304 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
AndroidOS/MalLocker.B - S0524
AndroidOS/MalLocker.B is a variant of a ransomware family targeting Android devices. It prevents the user from interacting with the UI by displaying a screen containing a ransom note over all other windows. (Citation: Microsoft MalLockerB)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AndroidOS/MalLocker.B - S0524.
Known Synonyms |
---|
AndroidOS/MalLocker.B |
Internal MISP references
UUID 9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce
which can be used as unique global reference for AndroidOS/MalLocker.B - S0524
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0524 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
Android/AdDisplay.Ashas - S0525
Android/AdDisplay.Ashas is a variant of adware that has been distributed through multiple apps in the Google Play Store. (Citation: WeLiveSecurity AdDisplayAshas)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Android/AdDisplay.Ashas - S0525.
Known Synonyms |
---|
Android/AdDisplay.Ashas |
Internal MISP references
UUID f7e7b736-2cff-4c2a-9232-352cd383463a
which can be used as unique global reference for Android/AdDisplay.Ashas - S0525
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0525 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
Trojan.Mebromi - S0001
Trojan.Mebromi is BIOS-level malware that takes control of the victim before MBR. (Citation: Ge 2011)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Trojan.Mebromi - S0001.
Known Synonyms |
---|
Trojan.Mebromi |
Internal MISP references
UUID c5e9cb46-aced-466c-85ea-7db5572ad9ec
which can be used as unique global reference for Trojan.Mebromi - S0001
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0001 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
ANDROIDOS_ANSERVER.A - S0310
ANDROIDOS_ANSERVER.A is Android malware that is unique because it uses encrypted content within a blog site for command and control. (Citation: TrendMicro-Anserver)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ANDROIDOS_ANSERVER.A - S0310.
Known Synonyms |
---|
ANDROIDOS_ANSERVER.A |
Internal MISP references
UUID 4bf6ba32-4165-42c1-b911-9c36165891c8
which can be used as unique global reference for ANDROIDOS_ANSERVER.A - S0310
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0310 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
Agent.btz - S0092
Agent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. (Citation: Securelist Agent.btz)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Agent.btz - S0092.
Known Synonyms |
---|
Agent.btz |
Internal MISP references
UUID 40d3e230-ed32-469f-ba89-be70cc08ab39
which can be used as unique global reference for Agent.btz - S0092
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0092 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Backdoor.Oldrea - S0093
Backdoor.Oldrea is a modular backdoor that used by Dragonfly against energy companies since at least 2013. Backdoor.Oldrea was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)(Citation: Symantec Dragonfly Sept 2017)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Backdoor.Oldrea - S0093.
Known Synonyms |
---|
Backdoor.Oldrea |
Havex |
Internal MISP references
UUID 083bb47b-02c8-4423-81a2-f9ef58572974
which can be used as unique global reference for Backdoor.Oldrea - S0093
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0093 - webarchive
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
- https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers - webarchive
- https://vblocalhost.com/uploads/VB2021-Slowik.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0093 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Trojan.Karagany - S0094
Trojan.Karagany is a modular remote access tool used for recon and linked to Dragonfly. The source code for Trojan.Karagany originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. (Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)(Citation: Dragos DYMALLOY )
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Trojan.Karagany - S0094.
Known Synonyms |
---|
Karagany |
Trojan.Karagany |
xFrost |
Internal MISP references
UUID 82cb34ba-02b5-432b-b2d2-07f55cbf674d
which can be used as unique global reference for Trojan.Karagany - S0094
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0094 - webarchive
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
- https://www.dragos.com/threat/dymalloy/ - webarchive
- https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0094 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
macOS.OSAMiner - S1048
macOS.OSAMiner is a Monero mining trojan that was first observed in 2018; security researchers assessed macOS.OSAMiner may have been circulating since at least 2015. macOS.OSAMiner is known for embedding one run-only AppleScript into another, which helped the malware evade full analysis for five years due to a lack of Apple event (AEVT) analysis tools.(Citation: SentinelLabs reversing run-only applescripts 2021)(Citation: VMRay OSAMiner dynamic analysis 2021)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular macOS.OSAMiner - S1048.
Known Synonyms |
---|
macOS.OSAMiner |
Internal MISP references
UUID 2a59a237-1530-4d55-91f9-2aebf961cc37
which can be used as unique global reference for macOS.OSAMiner - S1048
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S1048 |
mitre_platforms | ['macOS'] |
Related clusters
To see the related clusters, click here.
OSX_OCEANLOTUS.D - S0352
OSX_OCEANLOTUS.D is a macOS backdoor used by APT32. First discovered in 2015, APT32 has continued to make improvements using a plugin architecture to extend capabilities, specifically using .dylib
files. OSX_OCEANLOTUS.D can also determine it's permission level and execute according to access type (root
or user
).(Citation: Unit42 OceanLotus 2017)(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OSX_OCEANLOTUS.D - S0352.
Known Synonyms |
---|
Backdoor.MacOS.OCEANLOTUS.F |
OSX_OCEANLOTUS.D |
Internal MISP references
UUID b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29
which can be used as unique global reference for OSX_OCEANLOTUS.D - S0352
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0352 - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-new-improved-macos-backdoor-oceanlotus/ - webarchive
- https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0352 |
mitre_platforms | ['macOS'] |
Related clusters
To see the related clusters, click here.
LITTLELAMB.WOOLTEA - S1121
LITTLELAMB.WOOLTEA is a backdoor that was used by UNC5325 during Cutting Edge to deploy malware on targeted Ivanti Connect Secure VPNs and to establish persistence across system upgrades and patches.(Citation: Mandiant Cutting Edge Part 3 February 2024)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LITTLELAMB.WOOLTEA - S1121.
Known Synonyms |
---|
LITTLELAMB.WOOLTEA |
Internal MISP references
UUID 19256855-65e9-48f2-8b74-9f3d0a994428
which can be used as unique global reference for LITTLELAMB.WOOLTEA - S1121
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S1121 |
mitre_platforms | ['Network'] |
Related clusters
To see the related clusters, click here.
OSX/Shlayer - S0402
OSX/Shlayer is a Trojan designed to install adware on macOS that was first discovered in 2018.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OSX/Shlayer - S0402.
Known Synonyms |
---|
Crossrider |
OSX/Shlayer |
Zshlayer |
Internal MISP references
UUID f1314e75-ada8-49f4-b281-b1fb8b48f2a7
which can be used as unique global reference for OSX/Shlayer - S0402
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0402 - webarchive
- https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/ - webarchive
- https://blogs.vmware.com/security/2020/02/vmware-carbon-black-tau-threat-analysis-shlayer-macos.html - webarchive
- https://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/ - webarchive
- https://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/ - webarchive
- https://www.sentinelone.com/blog/coming-out-of-your-shell-from-shlayer-to-zshlayer/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0402 |
mitre_platforms | ['macOS'] |
Related clusters
To see the related clusters, click here.
T9000 - S0098
T9000 is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. (Citation: FireEye admin@338 March 2014) (Citation: Palo Alto T9000 Feb 2016)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular T9000 - S0098.
Known Synonyms |
---|
T9000 |
Internal MISP references
UUID 876f6a77-fbc5-4e13-ab1a-5611986730a3
which can be used as unique global reference for T9000 - S0098
in MISP communities and other software using the MISP galaxy
External references
- http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/ - webarchive
- https://attack.mitre.org/software/S0098 - webarchive
- https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0098 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
BS2005 - S0014
BS2005 is malware that was used by Ke3chang in spearphishing campaigns since at least 2011. (Citation: Mandiant Operation Ke3chang November 2014)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BS2005 - S0014.
Known Synonyms |
---|
BS2005 |
Internal MISP references
UUID 67fc172a-36fa-4a35-88eb-4ba730ed52a6
which can be used as unique global reference for BS2005 - S0014
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0014 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Sys10 - S0060
Sys10 is a backdoor that was used throughout 2013 by Naikon. (Citation: Baumgartner Naikon 2015)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sys10 - S0060.
Known Synonyms |
---|
Sys10 |
Internal MISP references
UUID 7f8730af-f683-423f-9ee1-5f6875a80481
which can be used as unique global reference for Sys10 - S0060
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0060 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Lurid - S0010
Lurid is a malware family that has been used by several groups, including PittyTiger, in targeted attacks as far back as 2006. (Citation: Villeneuve 2014) (Citation: Villeneuve 2011)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lurid - S0010.
Known Synonyms |
---|
Enfal |
Lurid |
Internal MISP references
UUID 251fbae2-78f6-4de7-84f6-194c727a64ad
which can be used as unique global reference for Lurid - S0010
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0010 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Dipsind - S0200
Dipsind is a malware family of backdoors that appear to be used exclusively by PLATINUM. (Citation: Microsoft PLATINUM April 2016)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dipsind - S0200.
Known Synonyms |
---|
Dipsind |
Internal MISP references
UUID e170995d-4f61-4f17-b60e-04f9a06ee517
which can be used as unique global reference for Dipsind - S0200
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0200 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
DressCode - S0300
DressCode is an Android malware family. (Citation: TrendMicro-DressCode)
Internal MISP references
UUID ff742eeb-1f90-4f5a-8b92-9d40fffd99ca
which can be used as unique global reference for DressCode - S0300
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0300 |
Related clusters
To see the related clusters, click here.
Carbanak - S0030
Carbanak is a full-featured, remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines. (Citation: Kaspersky Carbanak) (Citation: FireEye CARBANAK June 2017)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Carbanak - S0030.
Known Synonyms |
---|
Anunak |
Carbanak |
Internal MISP references
UUID 72f54d66-675d-4587-9bd3-4ed09f9522e4
which can be used as unique global reference for Carbanak - S0030
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0030 - webarchive
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf - webarchive
- https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html - webarchive
- https://www.fox-it.com/en/news/blog/anunak-aka-carbanak-update/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0030 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
RIPTIDE - S0003
RIPTIDE is a proxy-aware backdoor used by APT12. (Citation: Moran 2014)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RIPTIDE - S0003.
Known Synonyms |
---|
RIPTIDE |
Internal MISP references
UUID ad4f146f-e3ec-444a-ba71-24bffd7f0f8e
which can be used as unique global reference for RIPTIDE - S0003
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0003 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
TinyZBot - S0004
TinyZBot is a bot written in C# that was developed by Cleaver. (Citation: Cylance Cleaver)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TinyZBot - S0004.
Known Synonyms |
---|
TinyZBot |
Internal MISP references
UUID c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9
which can be used as unique global reference for TinyZBot - S0004
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0004 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
RobbinHood - S0400
RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.(Citation: CarbonBlack RobbinHood May 2019)(Citation: BaltimoreSun RobbinHood May 2019)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RobbinHood - S0400.
Known Synonyms |
---|
RobbinHood |
Internal MISP references
UUID 0a607c53-df52-45da-a75d-0e53df4dad5f
which can be used as unique global reference for RobbinHood - S0400
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0400 - webarchive
- https://www.baltimoresun.com/politics/bs-md-ci-it-outage-20190507-story.html - webarchive
- https://www.carbonblack.com/2019/05/17/cb-tau-threat-intelligence-notification-robbinhood-ransomware-stops-181-windows-services-before-encryption/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0400 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
CosmicDuke - S0050
CosmicDuke is malware that was used by APT29 from 2010 to 2015. (Citation: F-Secure The Dukes)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CosmicDuke - S0050.
Known Synonyms |
---|
BotgenStudios |
CosmicDuke |
NemesisGemina |
TinyBaron |
Internal MISP references
UUID 2eb9b131-d333-4a48-9eb4-d8dec46c19ee
which can be used as unique global reference for CosmicDuke - S0050
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0050 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Doki - S0600
Doki is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. Doki was used in conjunction with the ngrok Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Doki - S0600.
Known Synonyms |
---|
Doki |
Internal MISP references
UUID 4f1c389e-a80e-4a3e-9b0e-9be8c91df64f
which can be used as unique global reference for Doki - S0600
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0600 |
mitre_platforms | ['Linux', 'Containers'] |
Related clusters
To see the related clusters, click here.
HTTPBrowser - S0070
HTTPBrowser is malware that has been used by several threat groups. (Citation: ThreatStream Evasion Analysis) (Citation: Dell TG-3390) It is believed to be of Chinese origin. (Citation: ThreatConnect Anthem)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HTTPBrowser - S0070.
Known Synonyms |
---|
HTTPBrowser |
HttpDump |
Token Control |
Internal MISP references
UUID e066bf86-9cfb-407a-9d25-26fd5d91e360
which can be used as unique global reference for HTTPBrowser - S0070
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0070 - webarchive
- https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage - webarchive
- https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/ - webarchive
- https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0070 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Mivast - S0080
Mivast is a backdoor that has been used by Deep Panda. It was reportedly used in the Anthem breach. (Citation: Symantec Black Vine)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mivast - S0080.
Known Synonyms |
---|
Mivast |
Internal MISP references
UUID fbb470da-1d44-4f29-bbb3-9efbe20f94a3
which can be used as unique global reference for Mivast - S0080
in MISP communities and other software using the MISP galaxy
External references
- http://www.symantec.com/security_response/writeup.jsp?docid=2015-020623-0740-99&tabid=2 - webarchive
- https://attack.mitre.org/software/S0080 - webarchive
- https://web.archive.org/web/20170823094836/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0080 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Hikit - S0009
Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.(Citation: Novetta-Axiom)(Citation: FireEye Hikit Rootkit)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hikit - S0009.
Known Synonyms |
---|
Hikit |
Internal MISP references
UUID 95047f03-4811-4300-922e-1ba937d53a61
which can be used as unique global reference for Hikit - S0009
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0009 - webarchive
- https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf - webarchive
- https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0009 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Ngrok - S9000
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ngrok - S9000.
Known Synonyms |
---|
Ngrok |
Internal MISP references
UUID 911fe4c3-444d-4e92-83b8-cc761ac5fd3b
which can be used as unique global reference for Ngrok - S9000
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S9000 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Rover - S0090
Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. (Citation: Palo Alto Rover)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rover - S0090.
Known Synonyms |
---|
Rover |
Internal MISP references
UUID 6b616fc1-1505-48e3-8b2c-0d19337bff38
which can be used as unique global reference for Rover - S0090
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0090 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Ninja - S1100
Ninja is a malware developed in C++ that has been used by ToddyCat to penetrate networks and control remote systems since at least 2020. Ninja is possibly part of a post exploitation toolkit exclusively used by ToddyCat and allows multiple operators to work simultaneously on the same machine. Ninja has been used against government and military entities in Europe and Asia and observed in specific infection chains being deployed by Samurai.(Citation: Kaspersky ToddyCat June 2022)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ninja - S1100.
Known Synonyms |
---|
Ninja |
Internal MISP references
UUID 023254de-caaf-4a05-b2c7-e4e2f283f7a5
which can be used as unique global reference for Ninja - S1100
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S1100 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Taidoor - S0011
Taidoor is a remote access trojan (RAT) that has been used by Chinese government cyber actors to maintain access on victim networks.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021) Taidoor has primarily been used against Taiwanese government organizations since at least 2010.(Citation: TrendMicro Taidoor)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Taidoor - S0011.
Known Synonyms |
---|
Taidoor |
Internal MISP references
UUID b143dfa4-e944-43ff-8429-bfffc308c517
which can be used as unique global reference for Taidoor - S0011
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0011 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
WEBC2 - S0109
WEBC2 is a family of backdoor malware used by APT1 as early as July 2006. WEBC2 backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WEBC2 - S0109.
Known Synonyms |
---|
WEBC2 |
Internal MISP references
UUID 1d808f62-cf63-4063-9727-ff6132514c22
which can be used as unique global reference for WEBC2 - S0109
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0109 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Derusbi - S0021
Derusbi is malware used by multiple Chinese APT groups.(Citation: Novetta-Axiom)(Citation: ThreatConnect Anthem) Both Windows and Linux variants have been observed.(Citation: Fidelis Turbo)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Derusbi - S0021.
Known Synonyms |
---|
Derusbi |
PHOTO |
Internal MISP references
UUID 94379dec-5c87-49db-b36e-66abc0b81344
which can be used as unique global reference for Derusbi - S0021
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0021 - webarchive
- https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2016/2016.02.29.Turbo_Campaign_Derusbi/TA_Fidelis_Turbo_1602_0.pdf - webarchive
- https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf - webarchive
- https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html - webarchive
- https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0021 |
mitre_platforms | ['Windows', 'Linux'] |
Related clusters
To see the related clusters, click here.
JPIN - S0201
JPIN is a custom-built backdoor family used by PLATINUM. Evidence suggests developers of JPIN and Dipsind code bases were related in some way. (Citation: Microsoft PLATINUM April 2016)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular JPIN - S0201.
Known Synonyms |
---|
JPIN |
Internal MISP references
UUID de6cb631-52f6-4169-a73b-7965390b0c30
which can be used as unique global reference for JPIN - S0201
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0201 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
PoisonIvy - S0012
PoisonIvy is a popular remote access tool (RAT) that has been used by many groups.(Citation: FireEye Poison Ivy)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Darkmoon Aug 2005)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PoisonIvy - S0012.
Known Synonyms |
---|
Breut |
Darkmoon |
Poison Ivy |
PoisonIvy |
Internal MISP references
UUID b42378e0-f147-496f-992a-26a49705395b
which can be used as unique global reference for PoisonIvy - S0012
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0012 - webarchive
- https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf - webarchive
- https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf - webarchive
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf - webarchive
- https://www.symantec.com/connect/blogs/life-mars-how-attackers-took-advantage-hope-alien-existance-new-darkmoon-campaign - webarchive
- https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0012 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Kevin - S1020
Kevin is a backdoor implant written in C++ that has been used by HEXANE since at least June 2020, including in operations against organizations in Tunisia.(Citation: Kaspersky Lyceum October 2021)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kevin - S1020.
Known Synonyms |
---|
Kevin |
Internal MISP references
UUID e7863f5d-cb6a-4f81-8804-0a635eec160a
which can be used as unique global reference for Kevin - S1020
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S1020 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Nerex - S0210
Nerex is a Trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Nerex May 2012)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nerex - S0210.
Known Synonyms |
---|
Nerex |
Internal MISP references
UUID c251e4a5-9a2e-4166-8e42-442af75c3b9a
which can be used as unique global reference for Nerex - S0210
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0210 - webarchive
- https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf - webarchive
- https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-3445-99 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0210 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
BACKSPACE - S0031
BACKSPACE is a backdoor used by APT30 that dates back to at least 2005. (Citation: FireEye APT30)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BACKSPACE - S0031.
Known Synonyms |
---|
BACKSPACE |
Lecna |
Internal MISP references
UUID fb261c56-b80e-43a9-8351-c84081e7213d
which can be used as unique global reference for BACKSPACE - S0031
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0031 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Dendroid - S0301
Dendroid is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.(Citation: Lookout-Dendroid)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dendroid - S0301.
Known Synonyms |
---|
Dendroid |
Internal MISP references
UUID 317a2c10-d489-431e-b6b2-f0251fddc88e
which can be used as unique global reference for Dendroid - S0301
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0301 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
PlugX - S0013
PlugX is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation: Dell TG-3390)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PlugX - S0013.
Known Synonyms |
---|
DestroyRAT |
Kaba |
Korplug |
PlugX |
Sogu |
TVT |
Thoper |
Internal MISP references
UUID 64fa0de0-6240-41f4-8638-f4ca7ed528fd
which can be used as unique global reference for PlugX - S0013
in MISP communities and other software using the MISP galaxy
External references
- http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf - webarchive
- http://labs.lastline.com/an-analysis-of-plugx - webarchive
- http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/ - webarchive
- https://attack.mitre.org/software/S0013 - webarchive
- https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf - webarchive
- https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html - webarchive
- https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0013 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Squirrelwaffle - S1030
Squirrelwaffle is a loader that was first seen in September 2021. It has been used in spam email campaigns to deliver additional malware such as Cobalt Strike and the QakBot banking trojan.(Citation: ZScaler Squirrelwaffle Sep 2021)(Citation: Netskope Squirrelwaffle Oct 2021)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Squirrelwaffle - S1030.
Known Synonyms |
---|
Squirrelwaffle |
Internal MISP references
UUID 3c18ad16-9eaf-4649-984e-68551bff0d47
which can be used as unique global reference for Squirrelwaffle - S1030
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S1030 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Fysbis - S0410
Fysbis is a Linux-based backdoor used by APT28 that dates back to at least 2014.(Citation: Fysbis Palo Alto Analysis)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Fysbis - S0410.
Known Synonyms |
---|
Fysbis |
Internal MISP references
UUID 50d6688b-0985-4f3d-8cbe-0c796b30703b
which can be used as unique global reference for Fysbis - S0410
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0410 |
mitre_platforms | ['Linux'] |
Related clusters
To see the related clusters, click here.
Shamoon - S0140
Shamoon is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. Shamoon has also been seen leveraging RawDisk and Filerase to carry out data wiping tasks. Analysis has linked Shamoon with Kwampirs based on multiple shared artifacts and coding patterns.(Citation: Cylera Kwampirs 2022) The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Shamoon - S0140.
Known Synonyms |
---|
Disttrack |
Shamoon |
Internal MISP references
UUID 8901ac23-6b50-410c-b0dd-d8174a86f9b3
which can be used as unique global reference for Shamoon - S0140
in MISP communities and other software using the MISP galaxy
External references
- http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/ - webarchive
- https://attack.mitre.org/software/S0140 - webarchive
- https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf - webarchive
- https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/ - webarchive
- https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html - webarchive
- https://www.symantec.com/connect/blogs/shamoon-attacks - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0140 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Wiper - S0041
Wiper is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies. (Citation: Dell Wiper)
Internal MISP references
UUID a19c49aa-36fe-4c05-b817-23e1c7a7d085
which can be used as unique global reference for Wiper - S0041
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0041 |
Related clusters
To see the related clusters, click here.
MiniDuke - S0051
MiniDuke is malware that was used by APT29 from 2010 to 2015. The MiniDuke toolset consists of multiple downloader and backdoor components. The loader has been used with other MiniDuke components as well as in conjunction with CosmicDuke and PinchDuke. (Citation: F-Secure The Dukes)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MiniDuke - S0051.
Known Synonyms |
---|
MiniDuke |
Internal MISP references
UUID 5e7ef1dc-7fb6-4913-ac75-e06113b59e0c
which can be used as unique global reference for MiniDuke - S0051
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0051 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
POSHSPY - S0150
POSHSPY is a backdoor that has been used by APT29 since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. (Citation: FireEye POSHSPY April 2017)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular POSHSPY - S0150.
Known Synonyms |
---|
POSHSPY |
Internal MISP references
UUID 5e595477-2e78-4ce7-ae42-e0b059b17808
which can be used as unique global reference for POSHSPY - S0150
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0150 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Ixeshe - S0015
Ixeshe is a malware family that has been used since at least 2009 against targets in East Asia. (Citation: Moran 2013)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ixeshe - S0015.
Known Synonyms |
---|
Ixeshe |
Internal MISP references
UUID 8beac7c2-48d2-4cd9-9b15-6c452f38ac06
which can be used as unique global reference for Ixeshe - S0015
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0015 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
PipeMon - S0501
PipeMon is a multi-stage modular backdoor used by Winnti Group.(Citation: ESET PipeMon May 2020)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PipeMon - S0501.
Known Synonyms |
---|
PipeMon |
Internal MISP references
UUID 8393dac0-0583-456a-9372-fd81691bca20
which can be used as unique global reference for PipeMon - S0501
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0501 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
HDoor - S0061
HDoor is malware that has been customized and used by the Naikon group. (Citation: Baumgartner Naikon 2015)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HDoor - S0061.
Known Synonyms |
---|
Custom HDoor |
HDoor |
Internal MISP references
UUID 007b44b6-e4c5-480b-b5b9-56f2081b1b7b
which can be used as unique global reference for HDoor - S0061
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0061 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Hildegard - S0601
Hildegard is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind Hildegard. (Citation: Unit 42 Hildegard Malware)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hildegard - S0601.
Known Synonyms |
---|
Hildegard |
Internal MISP references
UUID 40a1b8ec-7295-416c-a6b1-68181d86f120
which can be used as unique global reference for Hildegard - S0601
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0601 |
mitre_platforms | ['Linux', 'Containers', 'IaaS'] |
Related clusters
To see the related clusters, click here.
Mafalda - S1060
Mafalda is a flexible interactive implant that has been used by Metador. Security researchers assess the Mafalda name may be inspired by an Argentinian cartoon character that has been popular as a means of political commentary since the 1960s. (Citation: SentinelLabs Metador Sept 2022)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mafalda - S1060.
Known Synonyms |
---|
Mafalda |
Internal MISP references
UUID 3be1fb7a-0f7e-415e-8e3a-74a80d596e68
which can be used as unique global reference for Mafalda - S1060
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S1060 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
SideTwist - S0610
SideTwist is a C-based backdoor that has been used by OilRig since at least 2021.(Citation: Check Point APT34 April 2021)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SideTwist - S0610.
Known Synonyms |
---|
SideTwist |
Internal MISP references
UUID df4cd566-ff2f-4d08-976d-8c86e95782de
which can be used as unique global reference for SideTwist - S0610
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0610 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
BISCUIT - S0017
BISCUIT is a backdoor that has been used by APT1 since as early as 2007. (Citation: Mandiant APT1)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BISCUIT - S0017.
Known Synonyms |
---|
BISCUIT |
Internal MISP references
UUID b8eb28e4-48a6-40ae-951a-328714f75eda
which can be used as unique global reference for BISCUIT - S0017
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0017 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Helminth - S0170
Helminth is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable. (Citation: Palo Alto OilRig May 2016)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Helminth - S0170.
Known Synonyms |
---|
Helminth |
Internal MISP references
UUID eff1a885-6f90-42a1-901f-eef6e7a1905e
which can be used as unique global reference for Helminth - S0170
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0170 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
hcdLoader - S0071
hcdLoader is a remote access tool (RAT) that has been used by APT18. (Citation: Dell Lateral Movement)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular hcdLoader - S0071.
Known Synonyms |
---|
hcdLoader |
Internal MISP references
UUID 9e2bba94-950b-4fcf-8070-cb3f816c5f4e
which can be used as unique global reference for hcdLoader - S0071
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0071 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Elise - S0081
Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU. (Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Elise - S0081.
Known Synonyms |
---|
BKDR_ESILE |
Elise |
Page |
Internal MISP references
UUID 7551188b-8f91-4d34-8350-0d0c57b2b913
which can be used as unique global reference for Elise - S0081
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0081 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Fakecalls - S1080
Fakecalls is an Android trojan, first detected in January 2021, that masquerades as South Korean banking apps. It has capabilities to intercept calls to banking institutions and even maintain realistic dialogues with the victim using pre-recorded audio snippets.(Citation: kaspersky_fakecalls_0422)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Fakecalls - S1080.
Known Synonyms |
---|
Fakecalls |
Internal MISP references
UUID 429e1526-6293-495b-8808-af7f9a66c4be
which can be used as unique global reference for Fakecalls - S1080
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S1080 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
Sykipot - S0018
Sykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims. (Citation: Alienvault Sykipot DOD Smart Cards) The group using this malware has also been referred to as Sykipot. (Citation: Blasco 2013)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sykipot - S0018.
Known Synonyms |
---|
Sykipot |
Internal MISP references
UUID 6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9
which can be used as unique global reference for Sykipot - S0018
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0018 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Volgmer - S0180
Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. (Citation: US-CERT Volgmer Nov 2017)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Volgmer - S0180.
Known Synonyms |
---|
Volgmer |
Internal MISP references
UUID 495b6cdb-7b5a-4fbc-8d33-e7ef68806d08
which can be used as unique global reference for Volgmer - S0180
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0180 - webarchive
- https://web.archive.org/web/20181126143456/https://www.symantec.com/security-center/writeup/2014-081811-3237-99?tabid=2 - webarchive
- https://www.us-cert.gov/ncas/alerts/TA17-318B - webarchive
- https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0180 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
NightClub - S1090
NightClub is a modular implant written in C++ that has been used by MoustachedBouncer since at least 2014.(Citation: MoustachedBouncer ESET August 2023)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NightClub - S1090.
Known Synonyms |
---|
NightClub |
Internal MISP references
UUID 91c57ed3-7c32-4c68-b388-7db00cb8dac6
which can be used as unique global reference for NightClub - S1090
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S1090 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Epic - S0091
Epic is a backdoor that has been used by Turla. (Citation: Kaspersky Turla)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Epic - S0091.
Known Synonyms |
---|
Epic |
TadjMakhal |
Tavdig |
Wipbot |
WorldCupSec |
Internal MISP references
UUID 6b62e336-176f-417b-856a-8552dd8c44e1
which can be used as unique global reference for Epic - S0091
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0091 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Regin - S0019
Regin is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some Regin timestamps date back to 2003. (Citation: Kaspersky Regin)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Regin - S0019.
Known Synonyms |
---|
Regin |
Internal MISP references
UUID 4c59cce8-cb48-4141-b9f1-f646edfaadb0
which can be used as unique global reference for Regin - S0019
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0019 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Chaos - S0220
Chaos is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets. (Citation: Chaos Stolen Backdoor)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Chaos - S0220.
Known Synonyms |
---|
Chaos |
Internal MISP references
UUID 5bcd5511-6756-4824-a692-e8bb109364af
which can be used as unique global reference for Chaos - S0220
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0220 |
mitre_platforms | ['Linux'] |
Related clusters
To see the related clusters, click here.
Uroburos - S0022
Uroburos is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the Turla toolset to collect intelligence on sensitive targets worldwide. Uroburos has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. Uroburos is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. Uroburos has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)(Citation: Kaspersky Turla)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Uroburos - S0022.
Known Synonyms |
---|
Snake |
Uroburos |
Internal MISP references
UUID 80a014ba-3fef-4768-990b-37d8bd10d7f4
which can be used as unique global reference for Uroburos - S0022
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0022 |
mitre_platforms | ['Linux', 'Windows', 'macOS'] |
Related clusters
To see the related clusters, click here.
adbupd - S0202
adbupd is a backdoor used by PLATINUM that is similar to Dipsind. (Citation: Microsoft PLATINUM April 2016)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular adbupd - S0202.
Known Synonyms |
---|
adbupd |
Internal MISP references
UUID 0f1ad2ef-41d4-4b7a-9304-ddae68ea3005
which can be used as unique global reference for adbupd - S0202
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0202 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
CHOPSTICK - S0023
CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. (Citation: FireEye APT28) (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) (Citation: DOJ GRU Indictment Jul 2018) It is tracked separately from the X-Agent for Android.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CHOPSTICK - S0023.
Known Synonyms |
---|
Backdoor.SofacyX |
CHOPSTICK |
SPLM |
X-Agent |
Xagent |
webhp |
Internal MISP references
UUID ccd61dfc-b03f-4689-8c18-7c97eab08472
which can be used as unique global reference for CHOPSTICK - S0023
in MISP communities and other software using the MISP galaxy
External references
- http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf - webarchive
- https://attack.mitre.org/software/S0023 - webarchive
- https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf - webarchive
- https://www.justice.gov/file/1080281/download - webarchive
- https://www.symantec.com/blogs/election-security/apt28-espionage-military-government - webarchive
- https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0023 |
mitre_platforms | ['Windows', 'Linux'] |
Related clusters
To see the related clusters, click here.
DroidJack - S0320
DroidJack is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. (Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DroidJack - S0320.
Known Synonyms |
---|
DroidJack |
Internal MISP references
UUID 05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1
which can be used as unique global reference for DroidJack - S0320
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0320 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
Hydraq - S0203
Hydraq is a data-theft trojan first used by Elderwood in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including APT17.(Citation: MicroFocus 9002 Aug 2016)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: ASERT Seven Pointed Dagger Aug 2015)(Citation: FireEye DeputyDog 9002 November 2013)(Citation: ProofPoint GoT 9002 Aug 2017)(Citation: FireEye Sunshop Campaign May 2013)(Citation: PaloAlto 3102 Sept 2015)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hydraq - S0203.
Known Synonyms |
---|
9002 RAT |
Aurora |
HidraQ |
HomeUnix |
Homux |
HydraQ |
Hydraq |
McRat |
MdmBot |
Roarur |
Internal MISP references
UUID 73a4793a-ce55-4159-b2a6-208ef29b326f
which can be used as unique global reference for Hydraq - S0203
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0203 - webarchive
- https://community.softwaregrp.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/228686#.WosBVKjwZPZ - webarchive
- https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/ - webarchive
- https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf - webarchive
- https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf - webarchive
- https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf - webarchive
- https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html - webarchive
- https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html - webarchive
- https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures - webarchive
- https://www.symantec.com/connect/blogs/trojanhydraq-incident - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0203 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
ZeroT - S0230
ZeroT is a Trojan used by TA459, often in conjunction with PlugX. (Citation: Proofpoint TA459 April 2017) (Citation: Proofpoint ZeroT Feb 2017)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ZeroT - S0230.
Known Synonyms |
---|
ZeroT |
Internal MISP references
UUID 4ab44516-ad75-4e43-a280-705dc0420e2f
which can be used as unique global reference for ZeroT - S0230
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0230 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Twitoor - S0302
Twitoor is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Twitoor - S0302.
Known Synonyms |
---|
Twitoor |
Internal MISP references
UUID 41e3fd01-7b83-471f-835d-d2b1dc9a770c
which can be used as unique global reference for Twitoor - S0302
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0302 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
Get2 - S0460
Get2 is a downloader written in C++ that has been used by TA505 to deliver FlawedGrace, FlawedAmmyy, Snatch and SDBbot.(Citation: Proofpoint TA505 October 2019)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Get2 - S0460.
Known Synonyms |
---|
Get2 |
Internal MISP references
UUID 099ecff2-41b8-436d-843c-038a9aa9aa69
which can be used as unique global reference for Get2 - S0460
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0460 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
LOWBALL - S0042
LOWBALL is malware used by admin@338. It was used in August 2015 in email messages targeting Hong Kong-based media organizations. (Citation: FireEye admin@338)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LOWBALL - S0042.
Known Synonyms |
---|
LOWBALL |
Internal MISP references
UUID 2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b
which can be used as unique global reference for LOWBALL - S0042
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0042 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
ROKRAT - S0240
ROKRAT is a cloud-based remote access tool (RAT) used by APT37 to target victims in South Korea. APT37 has used ROKRAT during several campaigns from 2016 through 2021.(Citation: Talos ROKRAT)(Citation: Talos Group123)(Citation: Volexity InkySquid RokRAT August 2021)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ROKRAT - S0240.
Known Synonyms |
---|
ROKRAT |
Internal MISP references
UUID 60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f
which can be used as unique global reference for ROKRAT - S0240
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0240 - webarchive
- https://blog.talosintelligence.com/2017/04/introducing-rokrat.html - webarchive
- https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html - webarchive
- https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html - webarchive
- https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0240 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Briba - S0204
Briba is a trojan used by Elderwood to open a backdoor and download files on to compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Briba May 2012)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Briba - S0204.
Known Synonyms |
---|
Briba |
Internal MISP references
UUID 79499993-a8d6-45eb-b343-bf58dea5bdde
which can be used as unique global reference for Briba - S0204
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0204 - webarchive
- https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf - webarchive
- https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-2843-99 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0204 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Dvmap - S0420
Dvmap is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.(Citation: SecureList DVMap June 2017)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dvmap - S0420.
Known Synonyms |
---|
Dvmap |
Internal MISP references
UUID 22b596a6-d288-4409-8520-5f2846f85514
which can be used as unique global reference for Dvmap - S0420
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0420 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
Dyre - S0024
Dyre is a banking Trojan that has been used for financial gain. (Citation: Symantec Dyre June 2015)(Citation: Malwarebytes Dyreza November 2015)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dyre - S0024.
Known Synonyms |
---|
Dyre |
Dyreza |
Dyzap |
Internal MISP references
UUID 63c2a130-8a5b-452f-ad96-07cf0af12ffe
which can be used as unique global reference for Dyre - S0024
in MISP communities and other software using the MISP galaxy
External references
- http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dyre-emerging-threat.pdf - webarchive
- https://attack.mitre.org/software/S0024 - webarchive
- https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/ - webarchive
- https://nakedsecurity.sophos.com/2015/04/20/notes-from-sophoslabs-dyreza-the-malware-that-discriminates-against-old-computers/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0024 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
CALENDAR - S0025
CALENDAR is malware used by APT1 that mimics legitimate Gmail Calendar traffic. (Citation: Mandiant APT1)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CALENDAR - S0025.
Known Synonyms |
---|
CALENDAR |
Internal MISP references
UUID 5a84dc36-df0d-4053-9b7c-f0c388a57283
which can be used as unique global reference for CALENDAR - S0025
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0025 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
BLINDINGCAN - S0520
BLINDINGCAN is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.(Citation: US-CERT BLINDINGCAN Aug 2020)(Citation: NHS UK BLINDINGCAN Aug 2020)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BLINDINGCAN - S0520.
Known Synonyms |
---|
BLINDINGCAN |
Internal MISP references
UUID 01dbc71d-0ee8-420d-abb4-3dfb6a4bf725
which can be used as unique global reference for BLINDINGCAN - S0520
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0520 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
OnionDuke - S0052
OnionDuke is malware that was used by APT29 from 2013 to 2015. (Citation: F-Secure The Dukes)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OnionDuke - S0052.
Known Synonyms |
---|
OnionDuke |
Internal MISP references
UUID b136d088-a829-432c-ac26-5529c26d4c7e
which can be used as unique global reference for OnionDuke - S0052
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0052 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Drovorub - S0502
Drovorub is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by APT28.(Citation: NSA/FBI Drovorub August 2020)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Drovorub - S0502.
Known Synonyms |
---|
Drovorub |
Internal MISP references
UUID 99164b38-1775-40bc-b77b-a2373b14540a
which can be used as unique global reference for Drovorub - S0502
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0502 |
mitre_platforms | ['Linux'] |
Related clusters
To see the related clusters, click here.
Naid - S0205
Naid is a trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Naid June 2012)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Naid - S0205.
Known Synonyms |
---|
Naid |
Internal MISP references
UUID 48523614-309e-43bf-a2b8-705c2b45d7b2
which can be used as unique global reference for Naid - S0205
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0205 - webarchive
- https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf - webarchive
- https://www.symantec.com/security_response/writeup.jsp?docid=2012-061518-4639-99 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0205 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
GLOOXMAIL - S0026
GLOOXMAIL is malware used by APT1 that mimics legitimate Jabber/XMPP traffic. (Citation: Mandiant APT1)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GLOOXMAIL - S0026.
Known Synonyms |
---|
GLOOXMAIL |
Trojan.GTALK |
Internal MISP references
UUID f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2
which can be used as unique global reference for GLOOXMAIL - S0026
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0026 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Circles - S0602
Circles reportedly takes advantage of Signaling System 7 (SS7) weaknesses, the protocol suite used to route phone calls, to both track the location of mobile devices and intercept voice calls and SMS messages. It can be connected to a telecommunications company’s infrastructure or purchased as a cloud service. Circles has reportedly been linked to the NSO Group.(Citation: CitizenLab Circles)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Circles - S0602.
Known Synonyms |
---|
Circles |
Internal MISP references
UUID c6a07c89-a24c-4c7e-9e3e-6153cc595e24
which can be used as unique global reference for Circles - S0602
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0602 |
Related clusters
To see the related clusters, click here.
DustySky - S0062
DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015. (Citation: DustySky) (Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DustySky - S0062.
Known Synonyms |
---|
DustySky |
NeD Worm |
Internal MISP references
UUID 687c23e4-4e25-4ee7-a870-c5e002511f54
which can be used as unique global reference for DustySky - S0062
in MISP communities and other software using the MISP galaxy
External references
- http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf - webarchive
- https://attack.mitre.org/software/S0062 - webarchive
- https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/ - webarchive
- https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0062 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
InvisiMole - S0260
InvisiMole is a modular spyware program that has been used by the InvisiMole Group since at least 2013. InvisiMole has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. Gamaredon Group infrastructure has been used to download and execute InvisiMole against a small number of victims.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular InvisiMole - S0260.
Known Synonyms |
---|
InvisiMole |
Internal MISP references
UUID 47afe41c-4c08-485e-b062-c3bd209a1cce
which can be used as unique global reference for InvisiMole - S0260
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0260 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Wiarp - S0206
Wiarp is a trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Wiarp May 2012)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Wiarp - S0206.
Known Synonyms |
---|
Wiarp |
Internal MISP references
UUID 039814a0-88de-46c5-a4fb-b293db21880a
which can be used as unique global reference for Wiarp - S0206
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0206 - webarchive
- https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf - webarchive
- https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-1005-99 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0206 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
OwaAuth - S0072
OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by Threat Group-3390. (Citation: Dell TG-3390)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OwaAuth - S0072.
Known Synonyms |
---|
OwaAuth |
Internal MISP references
UUID a60657fa-e2e7-4f8f-8128-a882534ae8c5
which can be used as unique global reference for OwaAuth - S0072
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0072 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
RogueRobin - S0270
RogueRobin is a payload used by DarkHydrus that has been developed in PowerShell and C#. (Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RogueRobin - S0270.
Known Synonyms |
---|
RogueRobin |
Internal MISP references
UUID 8ec6e3b4-b06d-4805-b6aa-af916acc2122
which can be used as unique global reference for RogueRobin - S0270
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0270 - webarchive
- https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/ - webarchive
- https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0270 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Vasport - S0207
Vasport is a trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Vasport May 2012)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Vasport - S0207.
Known Synonyms |
---|
Vasport |
Internal MISP references
UUID f4d8a2d6-c684-453a-8a14-cf4a94f755c5
which can be used as unique global reference for Vasport - S0207
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0207 - webarchive
- https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf - webarchive
- https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-5938-99 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0207 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Zeroaccess - S0027
Zeroaccess is a kernel-mode Rootkit that attempts to add victims to the ZeroAccess botnet, often for monetary gain. (Citation: Sophos ZeroAccess)
Internal MISP references
UUID 552462b9-ae79-49dd-855c-5973014e157f
which can be used as unique global reference for Zeroaccess - S0027
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0027 |
Related clusters
To see the related clusters, click here.
SHIPSHAPE - S0028
SHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)
Internal MISP references
UUID b1de6916-7a22-4460-8d26-6b5483ffaa2a
which can be used as unique global reference for SHIPSHAPE - S0028
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0028 |
Related clusters
To see the related clusters, click here.
Emissary - S0082
Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio. (Citation: Lotus Blossom Dec 2015)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Emissary - S0082.
Known Synonyms |
---|
Emissary |
Internal MISP references
UUID 0f862b01-99da-47cc-9bdb-db4a86a95bb1
which can be used as unique global reference for Emissary - S0082
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0082 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
MirageFox - S0280
MirageFox is a remote access tool used against Windows systems. It appears to be an upgraded version of a tool known as Mirage, which is a RAT believed to originate in 2012. (Citation: APT15 Intezer June 2018)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MirageFox - S0280.
Known Synonyms |
---|
MirageFox |
Internal MISP references
UUID e3cedcfe-6515-4348-af65-7f2c4157bf0d
which can be used as unique global reference for MirageFox - S0280
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0280 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Pasam - S0208
Pasam is a trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Pasam May 2012)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pasam - S0208.
Known Synonyms |
---|
Pasam |
Internal MISP references
UUID e811ff6a-4cef-4856-a6ae-a7daf9ed39ae
which can be used as unique global reference for Pasam - S0208
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0208 - webarchive
- https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf - webarchive
- https://www.symantec.com/security_response/writeup.jsp?docid=2012-050412-4128-99 - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0208 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Darkmoon - S0209
Internal MISP references
UUID 310f437b-29e7-4844-848c-7220868d074a
which can be used as unique global reference for Darkmoon - S0209
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0209 |
Related clusters
To see the related clusters, click here.
Gooligan - S0290
Gooligan is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. Gooligan has been described as part of the Ghost Push Android malware family. (Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gooligan - S0290.
Known Synonyms |
---|
Ghost Push |
Gooligan |
Internal MISP references
UUID 20d56cd6-8dff-4871-9889-d32d254816de
which can be used as unique global reference for Gooligan - S0290
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0290 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
MazarBOT - S0303
MazarBOT is Android malware that was distributed via SMS in Denmark in 2016. (Citation: Tripwire-MazarBOT)
Internal MISP references
UUID 5ddf81ea-2c06-497b-8c30-5f1ab89a40f9
which can be used as unique global reference for MazarBOT - S0303
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0303 |
Related clusters
To see the related clusters, click here.
NetTraveler - S0033
NetTraveler is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013. (Citation: Kaspersky NetTraveler)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NetTraveler - S0033.
Known Synonyms |
---|
NetTraveler |
Internal MISP references
UUID cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e
which can be used as unique global reference for NetTraveler - S0033
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0033 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
BUBBLEWRAP - S0043
BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. (Citation: FireEye admin@338)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BUBBLEWRAP - S0043.
Known Synonyms |
---|
BUBBLEWRAP |
Backdoor.APT.FakeWinHTTPHelper |
Internal MISP references
UUID 123bd7b3-675c-4b1a-8482-c55782b20e2b
which can be used as unique global reference for BUBBLEWRAP - S0043
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0043 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
NETEAGLE - S0034
NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.” (Citation: FireEye APT30)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NETEAGLE - S0034.
Known Synonyms |
---|
NETEAGLE |
Internal MISP references
UUID 53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2
which can be used as unique global reference for NETEAGLE - S0034
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0034 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Octopus - S0340
Octopus is a Windows Trojan written in the Delphi programming language that has been used by Nomadic Octopus to target government organizations in Central Asia since at least 2014.(Citation: Securelist Octopus Oct 2018)(Citation: Security Affairs DustSquad Oct 2018)(Citation: ESET Nomadic Octopus 2018)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Octopus - S0340.
Known Synonyms |
---|
Octopus |
Internal MISP references
UUID e2031fd5-02c2-43d4-85e2-b64f474530c2
which can be used as unique global reference for Octopus - S0340
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0340 - webarchive
- https://securelist.com/octopus-infested-seas-of-central-asia/88200/ - webarchive
- https://securityaffairs.co/wordpress/77165/apt/russia-linked-apt-dustsquad.html - webarchive
- https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0340 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Riltok - S0403
Riltok is banking malware that uses phishing popups to collect user credentials.(Citation: Kaspersky Riltok June 2019)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Riltok - S0403.
Known Synonyms |
---|
Riltok |
Internal MISP references
UUID c0efbaae-9e7d-4716-a92d-68373aac7424
which can be used as unique global reference for Riltok - S0403
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0403 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
SPACESHIP - S0035
SPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SPACESHIP - S0035.
Known Synonyms |
---|
SPACESHIP |
Internal MISP references
UUID 8b880b41-5139-4807-baa9-309690218719
which can be used as unique global reference for SPACESHIP - S0035
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0035 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
SeaDuke - S0053
SeaDuke is malware that was used by APT29 from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with CozyCar. (Citation: F-Secure The Dukes)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SeaDuke - S0053.
Known Synonyms |
---|
SeaDaddy |
SeaDesk |
SeaDuke |
Internal MISP references
UUID 67e6d66b-1b82-4699-b47a-e2efb6268d14
which can be used as unique global reference for SeaDuke - S0053
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0053 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
FrameworkPOS - S0503
FrameworkPOS is a point of sale (POS) malware used by FIN6 to steal payment card data from sytems that run physical POS devices.(Citation: SentinelOne FrameworkPOS September 2019)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FrameworkPOS - S0503.
Known Synonyms |
---|
FrameworkPOS |
Trinity |
Internal MISP references
UUID 1cdbbcab-903a-414d-8eb0-439a97343737
which can be used as unique global reference for FrameworkPOS - S0503
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0503 |
Related clusters
To see the related clusters, click here.
Melcoz - S0530
Melcoz is a banking trojan family built from the open source tool Remote Access PC. Melcoz was first observed in attacks in Brazil and since 2018 has spread to Chile, Mexico, Spain, and Portugal.(Citation: Securelist Brazilian Banking Malware July 2020)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Melcoz - S0530.
Known Synonyms |
---|
Melcoz |
Internal MISP references
UUID d3105fb5-c494-4fd1-a7be-414eab9e0c96
which can be used as unique global reference for Melcoz - S0530
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0530 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
zwShell - S0350
zwShell is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during Night Dragon.(Citation: McAfee Night Dragon)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular zwShell - S0350.
Known Synonyms |
---|
zwShell |
Internal MISP references
UUID 54e8672d-5338-4ad1-954a-a7c986bee530
which can be used as unique global reference for zwShell - S0350
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0350 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
BONDUPDATER - S0360
BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig Sep 2018)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BONDUPDATER - S0360.
Known Synonyms |
---|
BONDUPDATER |
Internal MISP references
UUID d5268dfb-ae2b-4e0e-ac07-02a460613d8a
which can be used as unique global reference for BONDUPDATER - S0360
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0360 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
FLASHFLOOD - S0036
FLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FLASHFLOOD - S0036.
Known Synonyms |
---|
FLASHFLOOD |
Internal MISP references
UUID 43213480-78f7-4fb3-976f-d48f5f6a4c2a
which can be used as unique global reference for FLASHFLOOD - S0036
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0036 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
SHOTPUT - S0063
SHOTPUT is a custom backdoor used by APT3. (Citation: FireEye Clandestine Wolf)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SHOTPUT - S0063.
Known Synonyms |
---|
Backdoor.APT.CookieCutter |
Pirpi |
SHOTPUT |
Internal MISP references
UUID 58adaaa8-f1e8-4606-9a08-422e568461eb
which can be used as unique global reference for SHOTPUT - S0063
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0063 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Nebulae - S0630
Nebulae Is a backdoor that has been used by Naikon since at least 2020.(Citation: Bitdefender Naikon April 2021)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nebulae - S0630.
Known Synonyms |
---|
Nebulae |
Internal MISP references
UUID 22b17791-45bf-45c0-9322-ff1a0af5cf2b
which can be used as unique global reference for Nebulae - S0630
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0630 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Stuxnet - S0603
Stuxnet was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) Stuxnet was discovered in 2010, with some components being used as early as November 2008.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Stuxnet - S0603.
Known Synonyms |
---|
Stuxnet |
W32.Stuxnet |
Internal MISP references
UUID 088f1d6e-0783-47c6-9923-9c79b2af43d4
which can be used as unique global reference for Stuxnet - S0603
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0603 - webarchive
- https://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01 - webarchive
- https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf - webarchive
- https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf - webarchive
- https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0603 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
HAMMERTOSS - S0037
HAMMERTOSS is a backdoor that was used by APT29 in 2015. (Citation: FireEye APT29) (Citation: F-Secure The Dukes)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HAMMERTOSS - S0037.
Known Synonyms |
---|
HAMMERTOSS |
HammerDuke |
NetDuke |
Internal MISP references
UUID 2daa14d6-cbf3-4308-bb8e-213c324a08e4
which can be used as unique global reference for HAMMERTOSS - S0037
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0037 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
ASPXSpy - S0073
ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. (Citation: Dell TG-3390)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ASPXSpy - S0073.
Known Synonyms |
---|
ASPXSpy |
ASPXTool |
Internal MISP references
UUID 56f46b17-8cfa-46c0-b501-dd52fef394e2
which can be used as unique global reference for ASPXSpy - S0073
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0073 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
SamSam - S0370
SamSam is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.(Citation: US-CERT SamSam 2018)(Citation: Talos SamSam Jan 2018)(Citation: Sophos SamSam Apr 2018)(Citation: Symantec SamSam Oct 2018)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SamSam - S0370.
Known Synonyms |
---|
SamSam |
Samas |
Internal MISP references
UUID 4d56e6e9-1a6d-46e3-896c-dfdf3cc96e62
which can be used as unique global reference for SamSam - S0370
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/software/S0370 - webarchive
- https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html - webarchive
- https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf - webarchive
- https://www.symantec.com/blogs/threat-intelligence/samsam-targeted-ransomware-attacks - webarchive
- https://www.us-cert.gov/ncas/alerts/AA18-337A - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0370 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
StoneDrill - S0380
StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with APT33.(Citation: FireEye APT33 Sept 2017)(Citation: Kaspersky StoneDrill 2017)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular StoneDrill - S0380.
Known Synonyms |
---|
DROPSHOT |
StoneDrill |
Internal MISP references
UUID 8dbadf80-468c-4a62-b817-4e4d8b606887
which can be used as unique global reference for StoneDrill - S0380
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0380 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Duqu - S0038
Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Duqu - S0038.
Known Synonyms |
---|
Duqu |
Internal MISP references
UUID 68dca94f-c11d-421e-9287-7c501108e18c
which can be used as unique global reference for Duqu - S0038
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0038 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Misdat - S0083
Misdat is a backdoor that was used in Operation Dust Storm from 2010 to 2011.(Citation: Cylance Dust Storm)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Misdat - S0083.
Known Synonyms |
---|
Misdat |
Internal MISP references
UUID 0db09158-6e48-4e7c-8ce7-2b10b9c0c039
which can be used as unique global reference for Misdat - S0083
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0083 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Adups - S0309
Adups is software that was pre-installed onto Android devices, including those made by BLU Products. The software was reportedly designed to help a Chinese phone manufacturer monitor user behavior, transferring sensitive data to a Chinese server. (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)
Internal MISP references
UUID f6ac21b6-2592-400c-8472-10d0e2f1bfaf
which can be used as unique global reference for Adups - S0309
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0309 |
Related clusters
To see the related clusters, click here.
SQLRat - S0390
SQLRat is malware that executes SQL scripts to avoid leaving traditional host artifacts. FIN7 has been observed using it.(Citation: Flashpoint FIN 7 March 2019)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SQLRat - S0390.
Known Synonyms |
---|
SQLRat |
Internal MISP references
UUID 8fc6c9e7-a162-4ca4-a488-f1819e9a7b06
which can be used as unique global reference for SQLRat - S0390
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0390 |
Related clusters
To see the related clusters, click here.
JHUHUGIT - S0044
JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware. (Citation: Kaspersky Sofacy) (Citation: F-Secure Sofacy 2015) (Citation: ESET Sednit Part 1) (Citation: FireEye APT28 January 2017)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular JHUHUGIT - S0044.
Known Synonyms |
---|
GAMEFISH |
JHUHUGIT |
JKEYSKW |
Sednit |
Seduploader |
SofacyCarberp |
Trojan.Sofacy |
Internal MISP references
UUID 8ae43c46-57ef-47d5-a77a-eebb35628db2
which can be used as unique global reference for JHUHUGIT - S0044
in MISP communities and other software using the MISP galaxy
External references
- http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf - webarchive
- https://attack.mitre.org/software/S0044 - webarchive
- https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html - webarchive
- https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/ - webarchive
- https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/ - webarchive
- https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/ - webarchive
- https://www.symantec.com/blogs/election-security/apt28-espionage-military-government - webarchive
- https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
external_id | S0044 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
SHARPSTATS - S0450
SHARPSTATS is a .NET backdoor used by MuddyWater since at least 2019.(Citation: TrendMicro POWERSTATS V3 June 2019)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SHARPSTATS - S0450.
Known Synonyms |
---|
SHARPSTATS |
Internal MISP references
UUID 73c4711b-407a-449d-b269-e3b1531fe7a9
which can be used as unique global reference for SHARPSTATS - S0450
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0450 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
ADVSTORESHELL - S0045
ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 2)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ADVSTORESHELL - S0045.
Known Synonyms |
---|
ADVSTORESHELL |
AZZY |
EVILTOSS |
NETUI |
Sedreco |
Internal MISP references
UUID fb575479-14ef-41e9-bfab-0b7cf10bec73
which can be used as unique global reference for ADVSTORESHELL - S0045
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0045 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Asacub - S0540
Asacub is a banking trojan that attempts to steal money from victims’ bank accounts. It attempts to do this by initiating a wire transfer via SMS message from compromised devices.(Citation: Securelist Asacub)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Asacub - S0540.
Known Synonyms |
---|
Asacub |
Trojan-SMS.AndroidOS.Smaps |
Internal MISP references
UUID a76b837b-93cc-417d-bf28-c47a6a284fa4
which can be used as unique global reference for Asacub - S0540
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0540 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
Anchor - S0504
Anchor is one of a family of backdoor malware that has been used in conjunction with TrickBot on selected high profile targets since at least 2018.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Anchor - S0504.
Known Synonyms |
---|
Anchor |
Anchor_DNS |
Internal MISP references
UUID 5f1d4579-4e8f-48e7-860e-2da773ae432e
which can be used as unique global reference for Anchor - S0504
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0504 |
mitre_platforms | ['Linux', 'Windows'] |
Related clusters
To see the related clusters, click here.
CloudDuke - S0054
CloudDuke is malware that was used by APT29 in 2015. (Citation: F-Secure The Dukes) (Citation: Securelist Minidionis July 2015)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CloudDuke - S0054.
Known Synonyms |
---|
CloudDuke |
CloudLook |
MiniDionis |
Internal MISP references
UUID cbf646f1-7db5-4dc6-808b-0094313949df
which can be used as unique global reference for CloudDuke - S0054
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0054 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Exodus - S0405
Exodus is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).(Citation: SWB Exodus March 2019)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Exodus - S0405.
Known Synonyms |
---|
Exodus |
Exodus One |
Exodus Two |
Internal MISP references
UUID 3049b2f2-e323-4cdb-91cb-13b37b904cbb
which can be used as unique global reference for Exodus - S0405
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0405 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
Avaddon - S0640
Avaddon is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.(Citation: Awake Security Avaddon)(Citation: Arxiv Avaddon Feb 2021)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Avaddon - S0640.
Known Synonyms |
---|
Avaddon |
Internal MISP references
UUID 58c5a3a1-928f-4094-9e98-a5a4e56dd5f3
which can be used as unique global reference for Avaddon - S0640
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0640 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
CozyCar - S0046
CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. (Citation: F-Secure The Dukes)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CozyCar - S0046.
Known Synonyms |
---|
Cozer |
CozyBear |
CozyCar |
CozyDuke |
EuroAPT |
Internal MISP references
UUID e6ef745b-077f-42e1-a37d-29eecff9c754
which can be used as unique global reference for CozyCar - S0046
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0046 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
ELMER - S0064
ELMER is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by APT16. (Citation: FireEye EPS Awakens Part 2)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ELMER - S0064.
Known Synonyms |
---|
ELMER |
Internal MISP references
UUID 3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c
which can be used as unique global reference for ELMER - S0064
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0064 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Gustuff - S0406
Gustuff is mobile malware designed to steal users' banking and virtual currency credentials.(Citation: Talos Gustuff Apr 2019)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gustuff - S0406.
Known Synonyms |
---|
Gustuff |
Internal MISP references
UUID ff8e0c38-be47-410f-a2d3-a3d24a87c617
which can be used as unique global reference for Gustuff - S0406
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0406 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
Industroyer - S0604
Industroyer is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) Industroyer was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Industroyer - S0604.
Known Synonyms |
---|
CRASHOVERRIDE |
Industroyer |
Win32/Industroyer |
Internal MISP references
UUID e401d4fe-f0c9-44f0-98e6-f93487678808
which can be used as unique global reference for Industroyer - S0604
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0604 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
BBK - S0470
BBK is a downloader that has been used by BRONZE BUTLER since at least 2019.(Citation: Trend Micro Tick November 2019)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BBK - S0470.
Known Synonyms |
---|
BBK |
Internal MISP references
UUID f0fc920e-57a3-4af5-89be-9ea594c8b1ea
which can be used as unique global reference for BBK - S0470
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0470 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Monokle - S0407
Monokle is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.(Citation: Lookout-Monokle)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Monokle - S0407.
Known Synonyms |
---|
Monokle |
Internal MISP references
UUID 6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65
which can be used as unique global reference for Monokle - S0407
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0407 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
Sakula - S0074
Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015. (Citation: Dell Sakula)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sakula - S0074.
Known Synonyms |
---|
Sakula |
Sakurel |
VIPER |
Internal MISP references
UUID 96b08451-b27a-4ff6-893f-790e26393a8e
which can be used as unique global reference for Sakula - S0074
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0074 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Cerberus - S0480
Cerberus is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of Cerberus claim was used in private operations for two years.(Citation: Threat Fabric Cerberus)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cerberus - S0480.
Known Synonyms |
---|
Cerberus |
Internal MISP references
UUID 037f44f0-0c07-4c7f-b40e-0325b5b228a9
which can be used as unique global reference for Cerberus - S0480
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0480 |
mitre_platforms | ['Android'] |
Related clusters
To see the related clusters, click here.
PinchDuke - S0048
PinchDuke is malware that was used by APT29 from 2008 to 2010. (Citation: F-Secure The Dukes)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PinchDuke - S0048.
Known Synonyms |
---|
PinchDuke |
Internal MISP references
UUID ae9d818d-95d0-41da-b045-9cabea1ca164
which can be used as unique global reference for PinchDuke - S0048
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0048 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
GeminiDuke - S0049
GeminiDuke is malware that was used by APT29 from 2009 to 2012. (Citation: F-Secure The Dukes)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GeminiDuke - S0049.
Known Synonyms |
---|
GeminiDuke |
Internal MISP references
UUID 199463de-d9be-46d6-bb41-07234c1dd5a6
which can be used as unique global reference for GeminiDuke - S0049
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
external_id | S0049 |
mitre_platforms | ['Windows'] |
Related clusters
To see the related clusters, click here.
Machete - S0409
Machete is a cyber espionage toolset used by Machete. It is a Python-based backdoor targeting Windows machines that wa