BOOKWORM - S1226 (2ceddaf9-b16a-4f8b-b252-bcccccd3d79f)

BOOKWORM is a modular trojan known to be leveraged by Mustang Panda and was first observed utilized in 2015. BOOKWORM was later updated in late 2021 and the fall of 2022 to launch shellcode represented as UUID parameters. (Citation: Broadcom)(Citation: Unit42 Bookworm Nov2015)(Citation: Palo Alto Networks, Unit 42)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	BOOKWORM - S1226 (2ceddaf9-b16a-4f8b-b252-bcccccd3d79f)	Malware	1
BOOKWORM - S1226 (2ceddaf9-b16a-4f8b-b252-bcccccd3d79f)	Malware	Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f)	Attack Pattern	1
BOOKWORM - S1226 (2ceddaf9-b16a-4f8b-b252-bcccccd3d79f)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	1
Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	BOOKWORM - S1226 (2ceddaf9-b16a-4f8b-b252-bcccccd3d79f)	Malware	1
BOOKWORM - S1226 (2ceddaf9-b16a-4f8b-b252-bcccccd3d79f)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	1
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	BOOKWORM - S1226 (2ceddaf9-b16a-4f8b-b252-bcccccd3d79f)	Malware	1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	BOOKWORM - S1226 (2ceddaf9-b16a-4f8b-b252-bcccccd3d79f)	Malware	1
BOOKWORM - S1226 (2ceddaf9-b16a-4f8b-b252-bcccccd3d79f)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	1
BOOKWORM - S1226 (2ceddaf9-b16a-4f8b-b252-bcccccd3d79f)	Malware	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	1
BOOKWORM - S1226 (2ceddaf9-b16a-4f8b-b252-bcccccd3d79f)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	1
BOOKWORM - S1226 (2ceddaf9-b16a-4f8b-b252-bcccccd3d79f)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	1
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	BOOKWORM - S1226 (2ceddaf9-b16a-4f8b-b252-bcccccd3d79f)	Malware	1
BOOKWORM - S1226 (2ceddaf9-b16a-4f8b-b252-bcccccd3d79f)	Malware	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	BOOKWORM - S1226 (2ceddaf9-b16a-4f8b-b252-bcccccd3d79f)	Malware	1
BOOKWORM - S1226 (2ceddaf9-b16a-4f8b-b252-bcccccd3d79f)	Malware	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	1
BOOKWORM - S1226 (2ceddaf9-b16a-4f8b-b252-bcccccd3d79f)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	1
BOOKWORM - S1226 (2ceddaf9-b16a-4f8b-b252-bcccccd3d79f)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	1
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	2
Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	2
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2