Hide Navigation Hide TOC

SPAWNMOLE (6c89c51f-1b97-4966-abc1-9cf526bb2892)

SPAWNMOLE is a tunneler that injects into the web process. It hijacks the accept function in the web process to monitor traffic and filter out malicious traffic originating from the attacker. The remainder of the benign traffic is passed unmodified to the legitimate web server functions. The malicious traffic is tunneled to a host provided by an attacker in the buffer. Mandiant assesses the attacker would most likely pass a local port where SPAWNSNAIL is operating to access the backdoor.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
SPAWNMOLE (6c89c51f-1b97-4966-abc1-9cf526bb2892)	Tool	SPAWNSNAIL (de390f3e-c0d1-4c70-b121-a7a98f7326aa)	Backdoor	1
SPAWNMOLE (6c89c51f-1b97-4966-abc1-9cf526bb2892)	Tool	SPAWNANT (e6cf28a6-94a9-4aab-b919-ad2f6a7e3b87)	Tool	1
SPAWNMOLE (6c89c51f-1b97-4966-abc1-9cf526bb2892)	Tool	UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	1
SPAWNSLOTH (2c237974-edc2-460a-90b5-20f699560da3)	Tool	SPAWNSNAIL (de390f3e-c0d1-4c70-b121-a7a98f7326aa)	Backdoor	2
SPAWNSNAIL (de390f3e-c0d1-4c70-b121-a7a98f7326aa)	Backdoor	SPAWNANT (e6cf28a6-94a9-4aab-b919-ad2f6a7e3b87)	Tool	2
SPAWNSNAIL (de390f3e-c0d1-4c70-b121-a7a98f7326aa)	Backdoor	UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	2
SPAWNANT (e6cf28a6-94a9-4aab-b919-ad2f6a7e3b87)	Tool	UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	2
UTA0178 (f288f686-b5b3-4c86-9960-5f8fb18709a3)	Threat Actor	UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	2
SPAWNSLOTH (2c237974-edc2-460a-90b5-20f699560da3)	Tool	UNC5337 (6fcf8d1f-2e68-4982-a579-2ca5595e4990)	Threat Actor	2
ROOTROT (69d0512d-c12a-4e17-a335-deba012a8499)	Tool	UTA0178 (f288f686-b5b3-4c86-9960-5f8fb18709a3)	Threat Actor	3
UTA0178 (f288f686-b5b3-4c86-9960-5f8fb18709a3)	Threat Actor	BRICKSTORM (64a0e3ab-e201-4fdc-9836-85365dfa84bb)	Backdoor	3