Hide Navigation Hide TOC

SPAWNMOLE (6c89c51f-1b97-4966-abc1-9cf526bb2892)

SPAWNMOLE is a tunneler that injects into the web process. It hijacks the accept function in the web process to monitor traffic and filter out malicious traffic originating from the attacker. The remainder of the benign traffic is passed unmodified to the legitimate web server functions. The malicious traffic is tunneled to a host provided by an attacker in the buffer. Mandiant assesses the attacker would most likely pass a local port where SPAWNSNAIL is operating to access the backdoor.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
SPAWNANT (e6cf28a6-94a9-4aab-b919-ad2f6a7e3b87)	Tool	SPAWNMOLE (6c89c51f-1b97-4966-abc1-9cf526bb2892)	Tool	1
SPAWNMOLE (6c89c51f-1b97-4966-abc1-9cf526bb2892)	Tool	SPAWNSNAIL (de390f3e-c0d1-4c70-b121-a7a98f7326aa)	Backdoor	1
SPAWNMOLE (6c89c51f-1b97-4966-abc1-9cf526bb2892)	Tool	UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	1
SPAWNANT (e6cf28a6-94a9-4aab-b919-ad2f6a7e3b87)	Tool	SPAWNSNAIL (de390f3e-c0d1-4c70-b121-a7a98f7326aa)	Backdoor	2
SPAWNANT (e6cf28a6-94a9-4aab-b919-ad2f6a7e3b87)	Tool	UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	2
UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	SPAWNSNAIL (de390f3e-c0d1-4c70-b121-a7a98f7326aa)	Backdoor	2
SPAWNSNAIL (de390f3e-c0d1-4c70-b121-a7a98f7326aa)	Backdoor	SPAWNSLOTH (2c237974-edc2-460a-90b5-20f699560da3)	Tool	2
UTA0178 (f288f686-b5b3-4c86-9960-5f8fb18709a3)	Threat Actor	UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	2
UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	SPAWNSLOTH (2c237974-edc2-460a-90b5-20f699560da3)	Tool	2
ROOTROT (69d0512d-c12a-4e17-a335-deba012a8499)	Tool	UTA0178 (f288f686-b5b3-4c86-9960-5f8fb18709a3)	Threat Actor	3
UTA0178 (f288f686-b5b3-4c86-9960-5f8fb18709a3)	Threat Actor	BRICKSTORM (64a0e3ab-e201-4fdc-9836-85365dfa84bb)	Backdoor	3