misp-galaxy/clusters/mitre-enterprise-attack-mal...

2987 lines
125 KiB
JSON
Raw Normal View History

2018-02-21 16:28:11 +01:00
{
2018-05-19 12:57:20 +02:00
"name": "Enterprise Attack - Malware",
"type": "mitre-enterprise-attack-malware",
"description": "Name of ATT&CK software",
"version": 4,
"source": "https://github.com/mitre/cti",
"uuid": "fbd79f02-1707-11e8-b1c7-87406102276a",
"authors": [
"MITRE"
],
"values": [
{
"description": "OLDBAIT is a credential harvester used by APT28. (Citation: FireEye APT28) (Citation: FireEye APT28) January 2017\n\nAliases: OLDBAIT, Sasfis",
"value": "OLDBAIT - S0138",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0138",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf"
],
"external_id": "S0138",
"synonyms": [
"OLDBAIT",
"Sasfis"
]
},
"uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be"
},
{
"description": "PHOREAL is a signature backdoor used by APT32. (Citation: FireEye APT32 May 2017)\n\nAliases: PHOREAL",
"value": "PHOREAL - S0158",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0158",
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
],
"external_id": "S0158",
"synonyms": [
"PHOREAL"
]
},
"uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e"
},
{
"description": "CosmicDuke is malware that was used by APT29 from 2010 to 2015. (Citation: F-Secure The Dukes)\n\nAliases: CosmicDuke, TinyBaron, BotgenStudios, NemesisGemina",
"value": "CosmicDuke - S0050",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0050",
"https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf"
],
"external_id": "S0050",
"synonyms": [
"CosmicDuke",
"TinyBaron",
"BotgenStudios",
"NemesisGemina"
]
},
"uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee"
},
{
"description": "H1N1 is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality. (Citation: Cisco H1N1 Part 1)\n\nAliases: H1N1",
"value": "H1N1 - S0132",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0132",
"http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities"
],
"external_id": "S0132",
"synonyms": [
"H1N1"
]
},
"uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd"
},
{
"description": "SPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)\n\nAliases: SPACESHIP",
"value": "SPACESHIP - S0035",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0035",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
],
"external_id": "S0035",
"synonyms": [
"SPACESHIP"
]
},
"uuid": "8b880b41-5139-4807-baa9-309690218719"
},
{
"description": "Hi-Zor is a remote access tool (RAT) that has characteristics similar to Sakula. It was used in a campaign named INOCNATION. (Citation: Fidelis Hi-Zor)\n\nAliases: Hi-Zor",
"value": "Hi-Zor - S0087",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0087",
"http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html"
],
"external_id": "S0087",
"synonyms": [
"Hi-Zor"
]
},
"uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc"
},
{
"description": "TEXTMATE is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with POWERSOURCE in February 2017. (Citation: FireEye FIN7 March 2017)\n\nAliases: DNSMessenger, TEXTMATE",
"value": "TEXTMATE - S0146",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0146",
"https://www.fireeye.com/blog/threat-research/2017/03/fin7%20spear%20phishing.html"
],
"external_id": "S0146",
"synonyms": [
"DNSMessenger",
"TEXTMATE"
]
},
"uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47"
},
{
"description": "Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler. (Citation: Cylance Cleaver)\n\nAliases: Net Crawler, NetC",
"value": "Net Crawler - S0056",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0056",
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance%20Operation%20Cleaver%20Report.pdf"
],
"external_id": "S0056",
"synonyms": [
"Net Crawler",
"NetC"
]
},
"uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704"
},
{
"description": "BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. (Citation: F-Secure BlackEnergy 2014)\n\nAliases: BlackEnergy, Black Energy",
"value": "BlackEnergy - S0089",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0089",
"https://www.f-secure.com/documents/996508/1030745/blackenergy%20whitepaper.pdf"
],
"external_id": "S0089",
"synonyms": [
"BlackEnergy",
"Black Energy"
]
},
"uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4"
},
{
"description": " (Citation: XAgentOSX) is a trojan that has been used by APT28 on OS X and appears to be a port of their standard CHOPSTICK or XAgent trojan. (Citation: XAgentOSX)\n\nAliases: (Citation: XAgentOSX)",
"value": "XAgentOSX - S0161",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0161",
"https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/"
],
"external_id": "S0161",
"synonyms": [
"XAgentOSX"
]
},
"uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069"
},
{
"description": "Pisloader is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by APT18 and is similar to another malware family, HTTPBrowser, that has been used by the group. (Citation: Palo Alto DNS Requests)\n\nAliases: Pisloader",
"value": "Pisloader - S0124",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0124",
"http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/"
],
"external_id": "S0124",
"synonyms": [
"Pisloader"
]
},
"uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236"
},
{
"description": "Backdoor.Oldrea is a backdoor used by Dragonfly. It appears to be custom malware authored by the group or specifically for it. (Citation: Symantec Dragonfly)\n\nAliases: Backdoor.Oldrea, Havex",
"value": "Backdoor.Oldrea - S0093",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0093",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/Dragonfly%20Threat%20Against%20Western%20Energy%20Suppliers.pdf"
],
"external_id": "S0093",
"synonyms": [
"Backdoor.Oldrea",
"Havex"
]
},
"uuid": "083bb47b-02c8-4423-81a2-f9ef58572974"
},
{
"description": "is a custom JavaScript backdoor used by Leviathan. (Citation: Proofpoint Leviathan Oct 2017)\n\nAliases: NanHaiShu",
"value": "NanHaiShu - S0228",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0228",
"https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets"
],
"external_id": "S0228",
"synonyms": [
"NanHaiShu"
]
},
"uuid": "705f0783-5f7d-4491-b6b7-9628e6e006d2"
},
{
"description": "Starloader is a loader component that has been observed loading Felismus and associated tools. (Citation: Symantec Sowbug Nov 2017)\n\nAliases: Starloader\n\nContributors: Alan Neville, @abnev",
"value": "Starloader - S0188",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0188",
"https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments"
],
"external_id": "S0188",
"synonyms": [
"Starloader"
]
},
"uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4"
},
{
"description": "ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. (Citation: Palo Alto menuPass Feb 2017) (Citation: JPCERT ChChes Feb 2017) (Citation: PWC Cloud Hopper Technical Annex April 2017)\n\nAliases: ChChes, Scorpion, HAYMAKER",
"value": "ChChes - S0144",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0144",
"http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/",
"http://blog.jpcert.or.jp/2017/02/chches-malware--93d6.html",
"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf"
],
"external_id": "S0144",
"synonyms": [
"ChChes",
"Scorpion",
"HAYMAKER"
]
},
"uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e"
},
{
"description": "Hacking Team UEFI Rootkit is a rootkit developed by the company Hacking Team as a method of persistence for remote access software. (Citation: TrendMicro Hacking Team UEFI)\n\nAliases: Hacking Team UEFI Rootkit",
"value": "Hacking Team UEFI Rootkit - S0047",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0047",
"http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/"
],
"external_id": "S0047",
"synonyms": [
"Hacking Team UEFI Rootkit"
]
},
"uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8"
},
{
"description": "Hydraq is a data-theft trojan first used by Elderwood in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including APT17. (Citation: MicroFocus 9002 Aug 2016) (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Trojan.Hydraq Jan 2010) (Citation: ASERT Seven Pointed Dagger Aug 2015) (Citation: FireEye DeputyDog 9002 November 2013) (Citation: ProofPoint GoT 9002 Aug 2017) (Citation: FireEye Sunshop Campaign May 2013) (Citation: PaloAlto 3102 Sept 2015)\n\nAliases: Hydraq, Aurora, 9002 RAT",
"value": "Hydraq - S0203",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0203",
"https://community.softwaregrp.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/228686#.WosBVKjwZPZ",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/the-elderwood-project.pdf",
"https://www.symantec.com/connect/blogs/trojanhydraq-incident",
"https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf",
"https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html",
"https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures",
"https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html",
"https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/"
],
"external_id": "S0203",
"synonyms": [
"Hydraq",
"Aurora",
"9002 RAT"
]
},
"uuid": "73a4793a-ce55-4159-b2a6-208ef29b326f"
},
{
"description": "httpclient is malware used by Putter Panda. It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool. (Citation: CrowdStrike Putter Panda)\n\nAliases: httpclient",
"value": "httpclient - S0068",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0068",
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"
],
"external_id": "S0068",
"synonyms": [
"httpclient"
]
},
"uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0"
},
{
"description": "Downdelph is a first-stage downloader written in Delphi that has been used by APT28 in rare instances between 2013 and 2015. (Citation: ESET Sednit Part 3)\n\nAliases: Downdelph, Delphacy",
"value": "Downdelph - S0134",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0134",
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf"
],
"external_id": "S0134",
"synonyms": [
"Downdelph",
"Delphacy"
]
},
"uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519"
},
{
"description": "CCBkdr is malware that was injected into a signed version of CCleaner and distributed from CCleaner's distribution website. (Citation: Talos CCleanup 2017) (Citation: Intezer Aurora Sept 2017)\n\nAliases: CCBkdr",
"value": "CCBkdr - S0222",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0222",
"http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html",
"http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/"
],
"external_id": "S0222",
"synonyms": [
"CCBkdr"
]
},
"uuid": "b0f13390-cec7-4814-b37c-ccec01887faa"
},
{
"description": "StreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. (Citation: Cylance Shell Crew Feb 2017)\n\nAliases: StreamEx",
"value": "StreamEx - S0142",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0142",
"https://www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar"
],
"external_id": "S0142",
"synonyms": [
"StreamEx"
]
},
"uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86"
},
{
"description": "Psylo is a shellcode-based Trojan that has been used by Scarlet Mimic. It has similar characteristics as FakeM. (Citation: Scarlet Mimic Jan 2016)\n\nAliases: Psylo",
"value": "Psylo - S0078",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0078",
"http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
],
"external_id": "S0078",
"synonyms": [
"Psylo"
]
},
"uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b"
},
{
"description": "HDoor is malware that has been customized and used by the Naikon group. (Citation: Baumgartner Naikon 2015)\n\nAliases: HDoor, Custom HDoor",
"value": "HDoor - S0061",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0061",
"https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf"
],
"external_id": "S0061",
"synonyms": [
"HDoor",
"Custom HDoor"
]
},
"uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b"
},
{
"description": "Smoke Loader is a bot that has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. (Citation: Malwarebytes SmokeLoader 2016)\n\nAliases: Smoke Loader, Dofoil",
"value": "Smoke Loader - S0226",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0226",
"https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/"
],
"external_id": "S0226",
"synonyms": [
"Smoke Loader",
"Dofoil"
]
},
"uuid": "0c824410-58ff-49b2-9cf2-1c96b182bdf0"
},
{
"description": " (Citation: Janicab) is an OS X trojan that relied on a valid developer ID and oblivious users to install it. (Citation: Janicab)\n\nAliases: (Citation: Janicab)",
"value": "Janicab - S0163",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0163",
"http://www.thesafemac.com/new-signed-malware-called-janicab/"
],
"external_id": "S0163",
"synonyms": [
"Janicab"
]
},
"uuid": "234e7770-99b0-4f65-b983-d3230f76a60b"
},
{
"description": "is a backdoor used by APT37. (Citation: FireEye APT37 Feb 2018)\n\nAliases: WINERACK",
"value": "WINERACK - S0219",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0219",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt%20APT37.pdf"
],
"external_id": "S0219",
"synonyms": [
"WINERACK"
]
},
"uuid": "49abab73-3c5c-476e-afd5-69b5c732d845"
},
{
"description": "WINDSHIELD is a signature backdoor used by APT32. (Citation: FireEye APT32 May 2017)\n\nAliases: WINDSHIELD",
"value": "WINDSHIELD - S0155",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0155",
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
],
"external_id": "S0155",
"synonyms": [
"WINDSHIELD"
]
},
"uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c"
},
{
"description": "TinyZBot is a bot written in C# that was developed by Cleaver. (Citation: Cylance Cleaver)\n\nAliases: TinyZBot",
"value": "TinyZBot - S0004",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0004",
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance%20Operation%20Cleaver%20Report.pdf"
],
"external_id": "S0004",
"synonyms": [
"TinyZBot"
]
},
"uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9"
},
{
"description": "BACKSPACE is a backdoor used by APT30 that dates back to at least 2005. (Citation: FireEye APT30)\n\nAliases: BACKSPACE, Lecna",
"value": "BACKSPACE - S0031",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0031",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
],
"external_id": "S0031",
"synonyms": [
"BACKSPACE",
"Lecna"
]
},
"uuid": "fb261c56-b80e-43a9-8351-c84081e7213d"
},
{
"description": "ZeroT is a Trojan used by TA459, often in conjunction with PlugX. (Citation: Proofpoint TA459 April 2017) (Citation: Proofpoint ZeroT Feb 2017)\n\nAliases: ZeroT",
"value": "ZeroT - S0230",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0230",
"https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts",
"https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
],
"external_id": "S0230",
"synonyms": [
"ZeroT"
]
},
"uuid": "4ab44516-ad75-4e43-a280-705dc0420e2f"
},
{
"description": "PinchDuke is malware that was used by APT29 from 2008 to 2010. (Citation: F-Secure The Dukes)\n\nAliases: PinchDuke",
"value": "PinchDuke - S0048",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0048",
"https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf"
],
"external_id": "S0048",
"synonyms": [
"PinchDuke"
]
},
"uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164"
},
{
"description": "CloudDuke is malware that was used by APT29 in 2015. (Citation: F-Secure The Dukes) (Citation: Securelist Minidionis July 2015)\n\nAliases: CloudDuke, MiniDionis, CloudLook",
"value": "CloudDuke - S0054",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0054",
"https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf",
"https://securelist.com/minidionis-one-more-apt-with-a-usage-of-cloud-drives/71443/"
],
"external_id": "S0054",
"synonyms": [
"CloudDuke",
"MiniDionis",
"CloudLook"
]
},
"uuid": "cbf646f1-7db5-4dc6-808b-0094313949df"
},
{
"description": "RedLeaves is a malware family used by menuPass. The code overlaps with PlugX and may be based upon the open source tool Trochilus. (Citation: PWC Cloud Hopper Technical Annex April 2017) (Citation: FireEye APT10 April 2017)\n\nAliases: RedLeaves, BUGJUICE",
"value": "RedLeaves - S0153",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0153",
"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf",
"https://www.fireeye.com/blog/threat-research/2017/04/apt10%20menupass%20grou.html"
],
"external_id": "S0153",
"synonyms": [
"RedLeaves",
"BUGJUICE"
]
},
"uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5"
},
{
"description": "WinMM is a full-featured, simple backdoor used by Naikon. (Citation: Baumgartner Naikon 2015)\n\nAliases: WinMM",
"value": "WinMM - S0059",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0059",
"https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf"
],
"external_id": "S0059",
"synonyms": [
"WinMM"
]
},
"uuid": "22addc7b-b39f-483d-979a-1b35147da5de"
},
{
"description": "MobileOrder is a Trojan intended to compromise Android mobile devices. It has been used by Scarlet Mimic. (Citation: Scarlet Mimic Jan 2016)\n\nAliases: MobileOrder",
"value": "MobileOrder - S0079",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0079",
"http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
],
"external_id": "S0079",
"synonyms": [
"MobileOrder"
]
},
"uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4"
},
{
"description": "Sys10 is a backdoor that was used throughout 2013 by Naikon. (Citation: Baumgartner Naikon 2015)\n\nAliases: Sys10",
"value": "Sys10 - S0060",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0060",
"https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf"
],
"external_id": "S0060",
"synonyms": [
"Sys10"
]
},
"uuid": "7f8730af-f683-423f-9ee1-5f6875a80481"
},
{
"description": "Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu)\n\nAliases: Duqu",
"value": "Duqu - S0038",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0038",
"https://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/w32%20duqu%20the%20precursor%20to%20the%20next%20stuxnet.pdf"
],
"external_id": "S0038",
"synonyms": [
"Duqu"
]
},
"uuid": "68dca94f-c11d-421e-9287-7c501108e18c"
},
{
"description": "is a downloader used by APT37 to target South Korean government and financial victims in November 2016. (Citation: FireEye APT37 Feb 2018)\n\nAliases: HAPPYWORK",
"value": "HAPPYWORK - S0214",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0214",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt%20APT37.pdf"
],
"external_id": "S0214",
"synonyms": [
"HAPPYWORK"
]
},
"uuid": "211cfe9f-2676-4e1c-a5f5-2c8091da2a68"
},
{
"description": "FakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic. (Citation: Scarlet Mimic Jan 2016)\n\nAliases: FakeM",
"value": "FakeM - S0076",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0076",
"http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
],
"external_id": "S0076",
"synonyms": [
"FakeM"
]
},
"uuid": "bb3c1098-d654-4620-bf40-694386d28921"
},
{
"description": "SHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)\n\nAliases: SHIPSHAPE",
"value": "SHIPSHAPE - S0028",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0028",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
],
"external_id": "S0028",
"synonyms": [
"SHIPSHAPE"
]
},
"uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a"
},
{
"description": "T9000 is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. (Citation: FireEye admin@338 March 2014) (Citation: Palo Alto T9000 Feb 2016)\n\nAliases: T9000",
"value": "T9000 - S0098",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0098",
"https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html",
"http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/"
],
"external_id": "S0098",
"synonyms": [
"T9000"
]
},
"uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3"
},
{
"description": "EvilGrab is a malware family with common reconnaissance capabilities. It has been deployed by menuPass via malicious Microsoft Office documents as part of spearphishing campaigns. (Citation: PWC Cloud Hopper Technical Annex April 2017)\n\nAliases: EvilGrab",
"value": "EvilGrab - S0152",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0152",
"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf"
],
"external_id": "S0152",
"synonyms": [
"EvilGrab"
]
},
"uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78"
},
{
"description": "BS2005 is malware that was used by Ke3chang in spearphishing campaigns since at least 2011. (Citation: Villeneuve et al 2014)\n\nAliases: BS2005",
"value": "BS2005 - S0014",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0014",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf"
],
"external_id": "S0014",
"synonyms": [
"BS2005"
]
},
"uuid": "67fc172a-36fa-4a35-88eb-4ba730ed52a6"
},
{
"description": "WEBC2 is a backdoor used by APT1 to retrieve a Web page from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)\n\nAliases: WEBC2",
"value": "WEBC2 - S0109",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0109",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip"
],
"external_id": "S0109",
"synonyms": [
"WEBC2"
]
},
"uuid": "1d808f62-cf63-4063-9727-ff6132514c22"
},
{
"description": "PlugX is a remote access tool (RAT) that uses modular plugins. (Citation: Lastline PlugX Analysis) It has been used by multiple threat groups. (Citation: FireEye Clandestine Fox Part 2) (Citation: New DragonOK) (Citation: Dell TG-3390)\n\nAliases: PlugX, Sogu, Kaba, Korplug",
"value": "PlugX - S0013",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0013",
"http://labs.lastline.com/an-analysis-of-plugx",
"https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html",
"http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/",
"http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/"
],
"external_id": "S0013",
"synonyms": [
"PlugX",
"Sogu",
"Kaba",
"Korplug"
]
},
"uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd"
},
{
"description": "Reaver is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the \"Five Poisons,\" which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of . (Citation: Palo Alto Reaver Nov 2017)\n\nAliases: Reaver",
"value": "Reaver - S0172",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0172",
"https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/"
],
"external_id": "S0172",
"synonyms": [
"Reaver"
]
},
"uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29"
},
{
"description": "Misdat is a backdoor that was used by Dust Storm from 2010 to 2011. (Citation: Cylance Dust Storm)\n\nAliases: Misdat",
"value": "Misdat - S0083",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0083",
"https://www.cylance.com/content/dam/cylance/pdfs/reports/Op%20Dust%20Storm%20Report.pdf"
],
"external_id": "S0083",
"synonyms": [
"Misdat"
]
},
"uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039"
},
{
"description": "Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar manner to (Citation: XAgentOSX) (Citation: XAgentOSX) (Citation: Sofacy Komplex Trojan).\n\nAliases: Komplex",
"value": "Komplex - S0162",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0162",
"https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/",
"https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/"
],
"external_id": "S0162",
"synonyms": [
"Komplex"
]
},
"uuid": "f108215f-3487-489d-be8b-80e346d32518"
},
{
"description": "Taidoor is malware that has been used since at least 2010, primarily to target Taiwanese government organizations. (Citation: TrendMicro Taidoor)\n\nAliases: Taidoor",
"value": "Taidoor - S0011",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0011",
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp%20the%20taidoor%20campaign.pdf"
],
"external_id": "S0011",
"synonyms": [
"Taidoor"
]
},
"uuid": "b143dfa4-e944-43ff-8429-bfffc308c517"
},
{
"description": "MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. (Citation: Palo Alto MoonWind March 2017)\n\nAliases: MoonWind",
"value": "MoonWind - S0149",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0149",
"http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/"
],
"external_id": "S0149",
"synonyms": [
"MoonWind"
]
},
"uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1"
},
{
"description": "Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims. (Citation: Proofpoint Operation Transparent Tribe March 2016)\n\nAliases: Crimson, MSIL/Crimson",
"value": "Crimson - S0115",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0115",
"https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf"
],
"external_id": "S0115",
"synonyms": [
"Crimson",
"MSIL/Crimson"
]
},
"uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2"
},
{
"description": "Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. (Citation: Palo Alto Rover)\n\nAliases: Rover",
"value": "Rover - S0090",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0090",
"http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/"
],
"external_id": "S0090",
"synonyms": [
"Rover"
]
},
"uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38"
},
{
"description": "ZLib is a full-featured backdoor that was used as a second-stage implant by Dust Storm from 2014 to 2015. It is malware and should not be confused with the compression library from which its name is derived. (Citation: Cylance Dust Storm)\n\nAliases: ZLib",
"value": "ZLib - S0086",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0086",
"https://www.cylance.com/content/dam/cylance/pdfs/reports/Op%20Dust%20Storm%20Report.pdf"
],
"external_id": "S0086",
"synonyms": [
"ZLib"
]
},
"uuid": "166c0eca-02fd-424a-92c0-6b5106994d31"
},
{
"description": "PowerDuke is a backdoor that was used by APT29 in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros. (Citation: Volexity PowerDuke November 2016)\n\nAliases: PowerDuke",
"value": "PowerDuke - S0139",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0139",
"https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/"
],
"external_id": "S0139",
"synonyms": [
"PowerDuke"
]
},
"uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a"
},
{
"description": "HTTPBrowser is malware that has been used by several threat groups. (Citation: ThreatStream Evasion Analysis) (Citation: Dell TG-3390) It is believed to be of Chinese origin. (Citation: ThreatConnect Anthem)\n\nAliases: HTTPBrowser, Token Control, HttpDump",
"value": "HTTPBrowser - S0070",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0070",
"https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop",
"http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/",
"https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/"
],
"external_id": "S0070",
"synonyms": [
"HTTPBrowser",
"Token Control",
"HttpDump"
]
},
"uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360"
},
{
"description": "HAMMERTOSS is a backdoor that was used by APT29 in 2015. (Citation: FireEye APT29) (Citation: F-Secure The Dukes)\n\nAliases: HAMMERTOSS, HammerDuke, NetDuke",
"value": "HAMMERTOSS - S0037",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0037",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf",
"https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf"
],
"external_id": "S0037",
"synonyms": [
"HAMMERTOSS",
"HammerDuke",
"NetDuke"
]
},
"uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4"
},
{
"description": "PoisonIvy is a popular remote access tool (RAT) that has been used by many groups. (Citation: FireEye Poison Ivy)\n\nAliases: PoisonIvy, Poison Ivy",
"value": "PoisonIvy - S0012",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0012",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf"
],
"external_id": "S0012",
"synonyms": [
"PoisonIvy",
"Poison Ivy"
]
},
"uuid": "b42378e0-f147-496f-992a-26a49705395b"
},
{
"description": "SHUTTERSPEED is a backdoor used by APT37. (Citation: FireEye APT37 Feb 2018)\n\nAliases: SHUTTERSPEED",
"value": "SHUTTERSPEED - S0217",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0217",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt%20APT37.pdf"
],
"external_id": "S0217",
"synonyms": [
"SHUTTERSPEED"
]
},
"uuid": "4189a679-72ed-4a89-a57c-7f689712ecf8"
},
{
"description": "Carbanak is a remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines. (Citation: Kaspersky Carbanak)\n\nAliases: Carbanak, Anunak",
"value": "Carbanak - S0030",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0030",
"https://securelist.com/files/2015/02/Carbanak%20APT%20eng.pdf"
],
"external_id": "S0030",
"synonyms": [
"Carbanak",
"Anunak"
]
},
"uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4"
},
{
"description": "POWERSTATS is a PowerShell-based first stage backdoor used by MuddyWater. (Citation: Unit 42 MuddyWater Nov 2017)\n\nAliases: POWERSTATS",
"value": "POWERSTATS - S0223",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0223",
"https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/"
],
"external_id": "S0223",
"synonyms": [
"POWERSTATS"
]
},
"uuid": "e8545794-b98c-492b-a5b3-4b5a02682e37"
},
{
"description": "Ixeshe is a malware family that has been used since 2009 to attack targets in East Asia. (Citation: Moran 2013)\n\nAliases: Ixeshe",
"value": "Ixeshe - S0015",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0015",
"https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html"
],
"external_id": "S0015",
"synonyms": [
"Ixeshe"
]
},
"uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06"
},
{
"description": "BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. (Citation: Forcepoint Monsoon)\n\nAliases: BADNEWS",
"value": "BADNEWS - S0128",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0128",
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
],
"external_id": "S0128",
"synonyms": [
"BADNEWS"
]
},
"uuid": "e9595678-d269-469e-ae6b-75e49259de63"
},
{
"description": "FLIPSIDE is a simple tool similar to Plink that is used by FIN5 to maintain access to victims. (Citation: Mandiant FIN5 GrrCON Oct 2016)\n\nAliases: FLIPSIDE",
"value": "FLIPSIDE - S0173",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0173",
"https://www.youtube.com/watch?v=fevGZs0EQu8"
],
"external_id": "S0173",
"synonyms": [
"FLIPSIDE"
]
},
"uuid": "0e18b800-906c-4e44-a143-b11c72b3448b"
},
{
"description": "Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. (Citation: Kaspersky Flame)\n\nAliases: Flame, Flamer, sKyWIper",
"value": "Flame - S0143",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0143",
"https://securelist.com/the-flame-questions-and-answers-51/34344/"
],
"external_id": "S0143",
"synonyms": [
"Flame",
"Flamer",
"sKyWIper"
]
},
"uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498"
},
{
"description": "RIPTIDE is a proxy-aware backdoor used by APT12. (Citation: Moran 2014)\n\nAliases: RIPTIDE",
"value": "RIPTIDE - S0003",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0003",
"https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html"
],
"external_id": "S0003",
"synonyms": [
"RIPTIDE"
]
},
"uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e"
},
{
"description": "Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. (Citation: Trend Micro Daserf Nov 2017) (Citation: Secureworks BRONZE BUTLER Oct 2017)\n\nAliases: Daserf, Muirim, Nioupale",
"value": "Daserf - S0187",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0187",
"http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/",
"https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
],
"external_id": "S0187",
"synonyms": [
"Daserf",
"Muirim",
"Nioupale"
]
},
"uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a"
},
{
"description": "CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. (Citation: F-Secure The Dukes)\n\nAliases: CozyCar, CozyDuke, CozyBear, Cozer, EuroAPT",
"value": "CozyCar - S0046",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0046",
"https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf"
],
"external_id": "S0046",
"synonyms": [
"CozyCar",
"CozyDuke",
"CozyBear",
"Cozer",
"EuroAPT"
]
},
"uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754"
},
{
"description": "Mivast is a backdoor that has been used by Deep Panda. It was reportedly used in the Anthem breach. (Citation: Symantec Black Vine)\n\nAliases: Mivast",
"value": "Mivast - S0080",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0080",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/the-black-vine-cyberespionage-group.pdf"
],
"external_id": "S0080",
"synonyms": [
"Mivast"
]
},
"uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3"
},
{
"description": "is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012. (Citation: FireEye APT33 Sept 2017) (Citation: McAfee Netwire Mar 2015) (Citation: FireEye APT33 Webinar Sept 2017)\n\nAliases: NETWIRE",
"value": "NETWIRE - S0198",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0198",
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
"https://securingtomorrow.mcafee.com/mcafee-labs/netwire-rat-behind-recent-targeted-attacks/",
"https://www.brighttalk.com/webcast/10703/275683"
],
"external_id": "S0198",
"synonyms": [
"NETWIRE"
]
},
"uuid": "2a70812b-f1ef-44db-8578-a496a227aef2"
},
{
"description": "ISMInjector is a Trojan used to install another OilRig backdoor, ISMAgent. (Citation: OilRig New Delivery Oct 2017)\n\nAliases: ISMInjector\n\nContributors: Robert Falcone",
"value": "ISMInjector - S0189",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0189",
"https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/"
],
"external_id": "S0189",
"synonyms": [
"ISMInjector"
]
},
"uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324"
},
{
"description": "is a trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Vasport May 2012)\n\nAliases: Vasport",
"value": "Vasport - S0207",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0207",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/the-elderwood-project.pdf",
"https://www.symantec.com/security%20response/writeup.jsp?docid=2012-051606-5938-99"
],
"external_id": "S0207",
"synonyms": [
"Vasport"
]
},
"uuid": "f4d8a2d6-c684-453a-8a14-cf4a94f755c5"
},
{
"description": "Cherry Picker is a point of sale (PoS) memory scraper. (Citation: Trustwave Cherry Picker)\n\nAliases: Cherry Picker",
"value": "Cherry Picker - S0107",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0107",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/"
],
"external_id": "S0107",
"synonyms": [
"Cherry Picker"
]
},
"uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe"
},
{
"description": "XTunnel a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by APT28 during the compromise of the Democratic National Committee. (Citation: Crowdstrike DNC June 2016) (Citation: Invincea XTunnel) (Citation: ESET Sednit Part 2)\n\nAliases: XTunnel, X-Tunnel, XAPS",
"value": "XTunnel - S0117",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0117",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/",
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf"
],
"external_id": "S0117",
"synonyms": [
"XTunnel",
"X-Tunnel",
"XAPS"
]
},
"uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab"
},
{
"description": "Naid is a trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Naid June 2012)\n\nAliases: Naid",
"value": "Naid - S0205",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0205",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/the-elderwood-project.pdf",
"https://www.symantec.com/security%20response/writeup.jsp?docid=2012-061518-4639-99"
],
"external_id": "S0205",
"synonyms": [
"Naid"
]
},
"uuid": "48523614-309e-43bf-a2b8-705c2b45d7b2"
},
{
"description": "GeminiDuke is malware that was used by APT29 from 2009 to 2012. (Citation: F-Secure The Dukes)\n\nAliases: GeminiDuke",
"value": "GeminiDuke - S0049",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0049",
"https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf"
],
"external_id": "S0049",
"synonyms": [
"GeminiDuke"
]
},
"uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6"
},
{
"description": "is an exfiltration tool used by APT37. (Citation: FireEye APT37 Feb 2018)\n\nAliases: CORALDECK",
"value": "CORALDECK - S0212",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0212",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt%20APT37.pdf"
],
"external_id": "S0212",
"synonyms": [
"CORALDECK"
]
},
"uuid": "8ab98e25-1672-4b5f-a2fb-e60f08a5ea9e"
},
{
"description": "Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015. (Citation: Dell Sakula)\n\nAliases: Sakula, Sakurel, VIPER",
"value": "Sakula - S0074",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0074",
"http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/"
],
"external_id": "S0074",
"synonyms": [
"Sakula",
"Sakurel",
"VIPER"
]
},
"uuid": "96b08451-b27a-4ff6-893f-790e26393a8e"
},
{
"description": "Agent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. (Citation: Securelist Agent.btz)\n\nAliases: Agent.btz",
"value": "Agent.btz - S0092",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0092",
"https://securelist.com/agent-btz-a-source-of-inspiration/58551/"
],
"external_id": "S0092",
"synonyms": [
"Agent.btz"
]
},
"uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39"
},
{
"description": "Prikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008. (Citation: ESET Operation Groundbait)\n\nAliases: Prikormka",
"value": "Prikormka - S0113",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0113",
"http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf"
],
"external_id": "S0113",
"synonyms": [
"Prikormka"
]
},
"uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69"
},
{
"description": "NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.” (Citation: FireEye APT30)\n\nAliases: NETEAGLE",
"value": "NETEAGLE - S0034",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0034",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
],
"external_id": "S0034",
"synonyms": [
"NETEAGLE"
]
},
"uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2"
},
{
"description": "SLOWDRIFT is a backdoor used by APT37 against academic and strategic victims in South Korea. (Citation: FireEye APT37 Feb 2018)\n\nAliases: SLOWDRIFT",
"value": "SLOWDRIFT - S0218",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0218",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt%20APT37.pdf"
],
"external_id": "S0218",
"synonyms": [
"SLOWDRIFT"
]
},
"uuid": "414dc555-c79e-4b24-a2da-9b607f7eaf16"
},
{
"description": "USBStealer is malware that has used by APT28 since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with ADVSTORESHELL. (Citation: ESET Sednit USBStealer 2014) (Citation: Kaspersky Sofacy)\n\nAliases: USBStealer, USB Stealer, Win32/USBStealer",
"value": "USBStealer - S0136",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0136",
"http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/",
"https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/"
],
"external_id": "S0136",
"synonyms": [
"USBStealer",
"USB Stealer",
"Win32/USBStealer"
]
},
"uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb"
},
{
"description": "CALENDAR is malware used by APT1 that mimics legitimate Gmail Calendar traffic. (Citation: Mandiant APT1)\n\nAliases: CALENDAR",
"value": "CALENDAR - S0025",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0025",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"external_id": "S0025",
"synonyms": [
"CALENDAR"
]
},
"uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283"
},
{
"description": "A Linux rootkit that provides backdoor access and hides from defenders.\n\nAliases: Umbreon",
"value": "Umbreon - S0221",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0221"
],
"external_id": "S0221",
"synonyms": [
"Umbreon"
]
},
"uuid": "3d8e547d-9456-4f32-a895-dc86134e282f"
},
{
"description": "Wingbird is a backdoor that appears to be a version of commercial software FinFisher. It is reportedly used to attack individual computers instead of networks. It was used by NEODYMIUM in a May 2016 campaign. (Citation: Microsoft SIR Vol 21) (Citation: Microsoft NEODYMIUM Dec 2016)\n\nAliases: Wingbird",
"value": "Wingbird - S0176",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0176",
"http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft%20Security%20Intelligence%20Report%20Volume%2021%20English.pdf",
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
],
"external_id": "S0176",
"synonyms": [
"Wingbird"
]
},
"uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654"
},
{
"description": "is a Trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Nerex May 2012)\n\nAliases: Nerex",
"value": "Nerex - S0210",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0210",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/the-elderwood-project.pdf",
"https://www.symantec.com/security%20response/writeup.jsp?docid=2012-051515-3445-99"
],
"external_id": "S0210",
"synonyms": [
"Nerex"
]
},
"uuid": "c251e4a5-9a2e-4166-8e42-442af75c3b9a"
},
{
"description": "Regin is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some Regin timestamps date back to 2003. (Citation: Kaspersky Regin)\n\nAliases: Regin",
"value": "Regin - S0019",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0019",
"https://securelist.com/files/2014/11/Kaspersky%20Lab%20whitepaper%20Regin%20platform%20eng.pdf"
],
"external_id": "S0019",
"synonyms": [
"Regin"
]
},
"uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0"
},
{
"description": "AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. (Citation: Forcepoint Monsoon) This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.\n\nAliases: AutoIt backdoor",
"value": "AutoIt backdoor - S0129",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0129",
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
],
"external_id": "S0129",
"synonyms": [
"AutoIt backdoor"
]
},
"uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300"
},
{
"description": "POWRUNER is a PowerShell script that sends and receives commands to and from the C2 server. (Citation: FireEye APT34 Dec 2017)\n\nAliases: POWRUNER",
"value": "POWRUNER - S0184",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0184",
"https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
],
"external_id": "S0184",
"synonyms": [
"POWRUNER"
]
},
"uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46"
},
{
"description": "Power Loader is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)\n\nAliases: Power Loader, Win32/Agent.UAW",
"value": "Power Loader - S0177",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0177",
"https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html",
"https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/"
],
"external_id": "S0177",
"synonyms": [
"Power Loader",
"Win32/Agent.UAW"
]
},
"uuid": "0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3"
},
{
"description": "Pteranodon is a custom backdoor used by Gamaredon Group. (Citation: Palo Alto Gamaredon Feb 2017)\n\nAliases: Pteranodon",
"value": "Pteranodon - S0147",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0147",
"https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
],
"external_id": "S0147",
"synonyms": [
"Pteranodon"
]
},
"uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd"
},
{
"description": "RARSTONE is malware used by the Naikon group that has some characteristics similar to PlugX. (Citation: Aquino RARSTONE)\n\nAliases: RARSTONE",
"value": "RARSTONE - S0055",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0055",
"http://blog.trendmicro.com/trendlabs-security-intelligence/rarstone-found-in-targeted-attacks/"
],
"external_id": "S0055",
"synonyms": [
"RARSTONE"
]
},
"uuid": "8c553311-0baa-4146-997a-f79acef3d831"
},
{
"description": "PUNCHBUGGY is a dynamic-link library (DLL) downloader utilized by FIN8. (Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)\n\nAliases: PUNCHBUGGY",
"value": "PUNCHBUGGY - S0196",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0196",
"https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html",
"https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html"
],
"external_id": "S0196",
"synonyms": [
"PUNCHBUGGY"
]
},
"uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c"
},
{
"description": "Matroyshka is a malware framework used by CopyKittens that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015)\n\nAliases: Matroyshka",
"value": "Matroyshka - S0167",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0167",
"http://www.clearskysec.com/wp-content/uploads/2017/07/Operation%20Wilted%20Tulip.pdf",
"https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf"
],
"external_id": "S0167",
"synonyms": [
"Matroyshka"
]
},
"uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458"
},
{
"description": "SHOTPUT is a custom backdoor used by APT3. (Citation: FireEye Clandestine Wolf)\n\nAliases: SHOTPUT, Backdoor.APT.CookieCutter, Pirpi",
"value": "SHOTPUT - S0063",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0063",
"https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html"
],
"external_id": "S0063",
"synonyms": [
"SHOTPUT",
"Backdoor.APT.CookieCutter",
"Pirpi"
]
},
"uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb"
},
{
"description": "Orz is a custom JavaScript backdoor used by Leviathan. It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. (Citation: Proofpoint Leviathan Oct 2017) (Citation: FireEye Periscope March 2018)\n\nAliases: Orz, AIRBREAK",
"value": "Orz - S0229",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0229",
"https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets",
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"
],
"external_id": "S0229",
"synonyms": [
"Orz",
"AIRBREAK"
]
},
"uuid": "06d735e7-1db1-4dbe-ab4b-acbe419f902b"
},
{
"description": "Trojan.Karagany is a backdoor primarily used for recon. The source code for it was leaked in 2010 and it is sold on underground forums. (Citation: Symantec Dragonfly)\n\nAliases: Trojan.Karagany",
"value": "Trojan.Karagany - S0094",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0094",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/Dragonfly%20Threat%20Against%20Western%20Energy%20Suppliers.pdf"
],
"external_id": "S0094",
"synonyms": [
"Trojan.Karagany"
]
},
"uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d"
},
{
"description": "Kasidet is a backdoor that has been dropped by using malicious VBA macros. (Citation: Zscaler Kasidet)\n\nAliases: Kasidet",
"value": "Kasidet - S0088",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0088",
"http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html"
],
"external_id": "S0088",
"synonyms": [
"Kasidet"
]
},
"uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2"
},
{
"description": "CHOPSTICK is malware family of modular backdoors used by APT28. It has been used from at least November 2012 to August 2016 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. (Citation: FireEye APT28) (Citation: ESET Sednit Part 2) (Citation: FireEye APT28) January 2017\n\nAliases: CHOPSTICK, SPLM, Xagent, X-Agent, webhp",
"value": "CHOPSTICK - S0023",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0023",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf"
],
"external_id": "S0023",
"synonyms": [
"CHOPSTICK",
"SPLM",
"Xagent",
"X-Agent",
"webhp"
]
},
"uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472"
},
{
"description": "is a rootkit trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Darkmoon Aug 2005)\n\nAliases: Darkmoon",
"value": "Darkmoon - S0209",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0209",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/the-elderwood-project.pdf",
"https://www.symantec.com/security%20response/writeup.jsp?docid=2005-081910-3934-99"
],
"external_id": "S0209",
"synonyms": [
"Darkmoon"
]
},
"uuid": "310f437b-29e7-4844-848c-7220868d074a"
},
{
"description": "MiniDuke is malware that was used by APT29 from 2010 to 2015. The MiniDuke toolset consists of multiple downloader and backdoor components. The loader has been used with other MiniDuke components as well as in conjunction with CosmicDuke and PinchDuke. (Citation: F-Secure The Dukes)\n\nAliases: MiniDuke",
"value": "MiniDuke - S0051",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0051",
"https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf"
],
"external_id": "S0051",
"synonyms": [
"MiniDuke"
]
},
"uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c"
},
{
"description": "BBSRAT is malware with remote access tool functionality that has been used in targeted compromises. (Citation: Palo Alto Networks BBSRAT)\n\nAliases: BBSRAT",
"value": "BBSRAT - S0127",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0127",
"http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/"
],
"external_id": "S0127",
"synonyms": [
"BBSRAT"
]
},
"uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80"
},
{
"description": "Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of\ntools referred to as LStudio, ST Group, and APT0LSTU. (Citation: Lotus Blossom Jun 2015)\n\nAliases: Elise, BKDR_ESILE, Page",
"value": "Elise - S0081",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0081",
"https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html"
],
"external_id": "S0081",
"synonyms": [
"Elise",
"BKDR_ESILE",
"Page"
]
},
"uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913"
},
{
"description": "KOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management. (Citation: FireEye APT32 May 2017)\n\nAliases: KOMPROGO",
"value": "KOMPROGO - S0156",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0156",
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
],
"external_id": "S0156",
"synonyms": [
"KOMPROGO"
]
},
"uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a"
},
{
"description": "BISCUIT is a backdoor that has been used by APT1 since as early as 2007. (Citation: Mandiant APT1)\n\nAliases: BISCUIT",
"value": "BISCUIT - S0017",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0017",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"external_id": "S0017",
"synonyms": [
"BISCUIT"
]
},
"uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda"
},
{
"description": "Uroburos is a rootkit used by Turla. (Citation: Kaspersky Turla)\n\nAliases: Uroburos",
"value": "Uroburos - S0022",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0022",
"https://securelist.com/the-epic-turla-operation/65545/"
],
"external_id": "S0022",
"synonyms": [
"Uroburos"
]
},
"uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4"
},
{
"description": "POWERSOURCE is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. (Citation: FireEye FIN7 March 2017) (Citation: Cisco DNSMessenger March 2017)\n\nAliases: POWERSOURCE, DNSMessenger",
"value": "POWERSOURCE - S0145",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0145",
"https://www.fireeye.com/blog/threat-research/2017/03/fin7%20spear%20phishing.html",
"http://blog.talosintelligence.com/2017/03/dnsmessenger.html"
],
"external_id": "S0145",
"synonyms": [
"POWERSOURCE",
"DNSMessenger"
]
},
"uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351"
},
{
"description": "hcdLoader is a remote access tool (RAT) that has been used by APT18. (Citation: Dell Lateral Movement)\n\nAliases: hcdLoader",
"value": "hcdLoader - S0071",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0071",
"http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/"
],
"external_id": "S0071",
"synonyms": [
"hcdLoader"
]
},
"uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e"
},
{
"description": "Pasam is a trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Pasam May 2012)\n\nAliases: Pasam",
"value": "Pasam - S0208",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0208",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/the-elderwood-project.pdf",
"https://www.symantec.com/security%20response/writeup.jsp?docid=2012-050412-4128-99"
],
"external_id": "S0208",
"synonyms": [
"Pasam"
]
},
"uuid": "e811ff6a-4cef-4856-a6ae-a7daf9ed39ae"
},
{
"description": "Zeroaccess is a kernel-mode Rootkit that attempts to add victims to the ZeroAccess botnet, often for monetary gain. (Citation: Sophos ZeroAccess)\n\nAliases: Zeroaccess, Trojan.Zeroaccess",
"value": "Zeroaccess - S0027",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0027",
"https://sophosnews.files.wordpress.com/2012/04/zeroaccess2.pdf"
],
"external_id": "S0027",
"synonyms": [
"Zeroaccess",
"Trojan.Zeroaccess"
]
},
"uuid": "552462b9-ae79-49dd-855c-5973014e157f"
},
{
"description": "is a rootkit trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Linfo May 2012)\n\nAliases: Linfo",
"value": "Linfo - S0211",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0211",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/the-elderwood-project.pdf",
"https://www.symantec.com/security%20response/writeup.jsp?docid=2012-051605-2535-99"
],
"external_id": "S0211",
"synonyms": [
"Linfo"
]
},
"uuid": "e9e9bfe2-76f4-4870-a2a1-b7af89808613"
},
{
"description": "Skeleton Key is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password. (Citation: Dell Skeleton) Functionality similar to Skeleton Key is included as a module in Mimikatz.\n\nAliases: Skeleton Key",
"value": "Skeleton Key - S0007",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0007",
"http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/"
],
"external_id": "S0007",
"synonyms": [
"Skeleton Key"
]
},
"uuid": "89f63ae4-f229-4a5c-95ad-6f22ed2b5c49"
},
{
"description": "Shamoon is malware that was first used by an Iranian group known as the \"Cutting Sword of Justice\" in 2012. The 2.0 version was seen in 2016 targeting Middle Eastern states. (Citation: FireEye Shamoon Nov 2016) (Citation: Palo Alto Shamoon Nov 2016)\n\nAliases: Shamoon, Disttrack",
"value": "Shamoon - S0140",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0140",
"https://www.fireeye.com/blog/threat-research/2016/11/fireeye%20respondsto.html",
"http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/"
],
"external_id": "S0140",
"synonyms": [
"Shamoon",
"Disttrack"
]
},
"uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3"
},
{
"description": "FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website. (Citation: US-CERT FALLCHILL Nov 2017)\n\nAliases: FALLCHILL",
"value": "FALLCHILL - S0181",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0181",
"https://www.us-cert.gov/ncas/alerts/TA17-318A"
],
"external_id": "S0181",
"synonyms": [
"FALLCHILL"
]
},
"uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e"
},
{
"description": "Briba is a trojan used by Elderwood to open a backdoor and download files on to compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Briba May 2012)\n\nAliases: Briba",
"value": "Briba - S0204",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0204",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/the-elderwood-project.pdf",
"https://www.symantec.com/security%20response/writeup.jsp?docid=2012-051515-2843-99"
],
"external_id": "S0204",
"synonyms": [
"Briba"
]
},
"uuid": "79499993-a8d6-45eb-b343-bf58dea5bdde"
},
{
"description": "Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. (Citation: US-CERT Volgmer Nov 2017)\n\nAliases: Volgmer",
"value": "Volgmer - S0180",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0180",
"https://www.us-cert.gov/ncas/alerts/TA17-318B"
],
"external_id": "S0180",
"synonyms": [
"Volgmer"
]
},
"uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08"
},
{
"description": "TDTESS is a 64-bit .NET binary backdoor used by CopyKittens. (Citation: ClearSky Wilted Tulip July 2017)\n\nAliases: TDTESS",
"value": "TDTESS - S0164",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0164",
"http://www.clearskysec.com/wp-content/uploads/2017/07/Operation%20Wilted%20Tulip.pdf"
],
"external_id": "S0164",
"synonyms": [
"TDTESS"
]
},
"uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a"
},
{
"description": "4H RAT is malware that has been used by Putter Panda since at least 2007. (Citation: CrowdStrike Putter Panda)\n\nAliases: 4H RAT",
"value": "4H RAT - S0065",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0065",
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"
],
"external_id": "S0065",
"synonyms": [
"4H RAT"
]
},
"uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc"
},
{
"description": "TURNEDUP is a non-public backdoor. It has been dropped by APT33's DROPSHOT malware (also known as Stonedrill). (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)\n\nAliases: TURNEDUP",
"value": "TURNEDUP - S0199",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0199",
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
"https://www.brighttalk.com/webcast/10703/275683"
],
"external_id": "S0199",
"synonyms": [
"TURNEDUP"
]
},
"uuid": "db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c"
},
{
"description": "BOOTRASH is a Bootkit that targets Windows operating systems. It has been used by threat actors that target the financial sector. (Citation: MTrends 2016)\n\nAliases: BOOTRASH",
"value": "BOOTRASH - S0114",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0114",
"https://www.fireeye.com/content/dam/fireeye-www/regional/fr%20FR/offers/pdfs/ig-mtrends-2016.pdf"
],
"external_id": "S0114",
"synonyms": [
"BOOTRASH"
]
},
"uuid": "da2ef4a9-7cbe-400a-a379-e2f230f28db3"
},
{
"description": "China Chopper is a Web shell hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. (Citation: Lee 2013) It has been used by several threat groups. (Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018)\n\nAliases: China Chopper",
"value": "China Chopper - S0020",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0020",
"https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html",
"http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/",
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"
],
"external_id": "S0020",
"synonyms": [
"China Chopper"
]
},
"uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70"
},
{
"description": "Wiper is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies. (Citation: Dell Wiper)\n\nAliases: Wiper",
"value": "Wiper - S0041",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0041",
"http://www.secureworks.com/cyber-threat-intelligence/threats/wiper-malware-analysis-attacking-korean-financial-sector/"
],
"external_id": "S0041",
"synonyms": [
"Wiper"
]
},
"uuid": "a19c49aa-36fe-4c05-b817-23e1c7a7d085"
},
{
"description": "Unknown Logger is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign. (Citation: Forcepoint Monsoon)\n\nAliases: Unknown Logger",
"value": "Unknown Logger - S0130",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0130",
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
],
"external_id": "S0130",
"synonyms": [
"Unknown Logger"
]
},
"uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56"
},
{
"description": "gh0st is a remote access tool (RAT). The source code is public and it has been used by many groups. (Citation: FireEye Hacking Team)\n\nAliases: gh0st",
"value": "gh0st - S0032",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0032",
"https://www.fireeye.com/blog/threat-research/2015/07/demonstrating%20hustle.html"
],
"external_id": "S0032",
"synonyms": [
"gh0st"
]
},
"uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24"
},
{
"description": "is a backdoor used by APT37 that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. (Citation: FireEye APT37 Feb 2018)\n\nAliases: DOGCALL",
"value": "DOGCALL - S0213",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0213",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt%20APT37.pdf"
],
"external_id": "S0213",
"synonyms": [
"DOGCALL"
]
},
"uuid": "0852567d-7958-4f4b-8947-4f840ec8d57d"
},
{
"description": "Helminth is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable. (Citation: Palo Alto OilRig May 2016)\n\nAliases: Helminth\n\nContributors: Robert Falcone",
"value": "Helminth - S0170",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0170",
"http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"
],
"external_id": "S0170",
"synonyms": [
"Helminth"
]
},
"uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e"
},
{
"description": "CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL. It has also been referred to as Sofacy, though that term has been used widely to refer to both the group APT28 and malware families associated with the group. (Citation: FireEye APT28) (Citation: FireEye APT28) January 2017\n\nAliases: CORESHELL, SOURFACE",
"value": "CORESHELL - S0137",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0137",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf"
],
"external_id": "S0137",
"synonyms": [
"CORESHELL",
"SOURFACE"
]
},
"uuid": "60c18d06-7b91-4742-bae3-647845cd9d81"
},
{
"description": "SOUNDBITE is a signature backdoor used by APT32. (Citation: FireEye APT32 May 2017)\n\nAliases: SOUNDBITE",
"value": "SOUNDBITE - S0157",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0157",
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"
],
"external_id": "S0157",
"synonyms": [
"SOUNDBITE"
]
},
"uuid": "9ca488bd-9587-48ef-b923-1743523e63b2"
},
{
"description": "Remsec is a modular backdoor that has been used by Strider and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua. (Citation: Symantec Strider Blog)\n\nAliases: Remsec, Backdoor.Remsec, ProjectSauron",
"value": "Remsec - S0125",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0125",
"http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets"
],
"external_id": "S0125",
"synonyms": [
"Remsec",
"Backdoor.Remsec",
"ProjectSauron"
]
},
"uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8"
},
{
"description": "POORAIM is a backdoor used by APT37 in campaigns since at least 2014. (Citation: FireEye APT37 Feb 2018)\n\nAliases: POORAIM",
"value": "POORAIM - S0216",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0216",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt%20APT37.pdf"
],
"external_id": "S0216",
"synonyms": [
"POORAIM"
]
},
"uuid": "53d47b09-09c2-4015-8d37-6633ecd53f79"
},
{
"description": "FLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)\n\nAliases: FLASHFLOOD",
"value": "FLASHFLOOD - S0036",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0036",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
],
"external_id": "S0036",
"synonyms": [
"FLASHFLOOD"
]
},
"uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a"
},
{
"description": "TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. (Citation: Forcepoint Monsoon)\n\nAliases: TINYTYPHON",
"value": "TINYTYPHON - S0131",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0131",
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
],
"external_id": "S0131",
"synonyms": [
"TINYTYPHON"
]
},
"uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca"
},
{
"description": "Gazer is a backdoor used by Turla since at least 2016. (Citation: ESET Gazer Aug 2017)\n\nAliases: Gazer, WhiteBear\n\nContributors: Bartosz Jerzman",
"value": "Gazer - S0168",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0168",
"https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf"
],
"external_id": "S0168",
"synonyms": [
"Gazer",
"WhiteBear"
]
},
"uuid": "76abb3ef-dafd-4762-97cb-a35379429db4"
},
{
"description": "SeaDuke is malware that was used by APT29 from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with CozyCar. (Citation: F-Secure The Dukes)\n\nAliases: SeaDuke, SeaDaddy, SeaDesk",
"value": "SeaDuke - S0053",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0053",
"https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf"
],
"external_id": "S0053",
"synonyms": [
"SeaDuke",
"SeaDaddy",
"SeaDesk"
]
},
"uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14"
},
{
"description": "HALFBAKED is a malware family consisting of multiple components intended to establish persistence in victim networks. (Citation: FireEye FIN7 April 2017)\n\nAliases: HALFBAKED",
"value": "HALFBAKED - S0151",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0151",
"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
],
"external_id": "S0151",
"synonyms": [
"HALFBAKED"
]
},
"uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f"
},
{
"description": "ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 2)\n\nAliases: ADVSTORESHELL, NETUI, EVILTOSS, AZZY, Sedreco",
"value": "ADVSTORESHELL - S0045",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0045",
"https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/",
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf"
],
"external_id": "S0045",
"synonyms": [
"ADVSTORESHELL",
"NETUI",
"EVILTOSS",
"AZZY",
"Sedreco"
]
},
"uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73"
},
{
"description": "SNUGRIDE is a backdoor that has been used by menuPass as first stage malware. (Citation: FireEye APT10 April 2017)\n\nAliases: SNUGRIDE",
"value": "SNUGRIDE - S0159",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0159",
"https://www.fireeye.com/blog/threat-research/2017/04/apt10%20menupass%20grou.html"
],
"external_id": "S0159",
"synonyms": [
"SNUGRIDE"
]
},
"uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870"
},
{
"description": "S-Type is a backdoor that was used by Dust Storm from 2013 to 2014. (Citation: Cylance Dust Storm)\n\nAliases: S-Type",
"value": "S-Type - S0085",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0085",
"https://www.cylance.com/content/dam/cylance/pdfs/reports/Op%20Dust%20Storm%20Report.pdf"
],
"external_id": "S0085",
"synonyms": [
"S-Type"
]
},
"uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131"
},
{
"description": "Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets\n\nAliases: Chaos",
"value": "Chaos - S0220",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0220"
],
"external_id": "S0220",
"synonyms": [
"Chaos"
]
},
"uuid": "5bcd5511-6756-4824-a692-e8bb109364af"
},
{
"description": "NetTraveler is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013. (Citation: Kaspersky NetTraveler)\n\nAliases: NetTraveler",
"value": "NetTraveler - S0033",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0033",
"http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf"
],
"external_id": "S0033",
"synonyms": [
"NetTraveler"
]
},
"uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e"
},
{
"description": "RemoteCMD is a custom tool used by APT3 to execute commands on a remote system similar to SysInternal's PSEXEC functionality. (Citation: Symantec Buckeye)\n\nAliases: RemoteCMD",
"value": "RemoteCMD - S0166",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0166",
"http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong"
],
"external_id": "S0166",
"synonyms": [
"RemoteCMD"
]
},
"uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26"
},
{
"description": "Dyre is a Trojan that usually targets banking information. (Citation: Raff 2015)\n\nAliases: Dyre",
"value": "Dyre - S0024",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0024",
"http://www.seculert.com/blogs/new-dyre-version-yet-another-malware-evading-sandboxes"
],
"external_id": "S0024",
"synonyms": [
"Dyre"
]
},
"uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe"
},
{
"description": "P2P ZeuS is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture. (Citation: Dell P2P ZeuS)\n\nAliases: P2P ZeuS, Peer-to-Peer ZeuS, Gameover ZeuS",
"value": "P2P ZeuS - S0016",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0016",
"http://www.secureworks.com/cyber-threat-intelligence/threats/The%20Lifecycle%20of%20Peer%20to%20Peer%20Gameover%20ZeuS/"
],
"external_id": "S0016",
"synonyms": [
"P2P ZeuS",
"Peer-to-Peer ZeuS",
"Gameover ZeuS"
]
},
"uuid": "b2c5d3ca-b43a-4888-ad8d-e2d43497bf85"
},
{
"description": " (Citation: FinFisher) is a government-grade commercial surveillance reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including Wingbird. (Citation: FinFisher) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017)\n\nAliases: (Citation: FinFisher), FinSpy",
"value": "FinFisher - S0182",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0182",
"http://www.finfisher.com/FinFisher/index.html",
"http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft%20Security%20Intelligence%20Report%20Volume%2021%20English.pdf",
"https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html",
"https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/"
],
"external_id": "S0182",
"synonyms": [
"FinFisher",
"FinSpy"
]
},
"uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858"
},
{
"description": "ComRAT is a remote access tool suspected of being a decedent of Agent.btz and used by Turla. (Citation: Symantec Waterbug) (Citation: NorthSec 2015 GData Uroburos Tools)\n\nAliases: ComRAT",
"value": "ComRAT - S0126",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0126",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/waterbug-attack-group.pdf",
"https://www.nsec.io/wp-content/uploads/2015/05/uroburos-actors-tools-1.1.pdf"
],
"external_id": "S0126",
"synonyms": [
"ComRAT"
]
},
"uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565"
},
{
"description": "POSHSPY is a backdoor that has been used by APT29 since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. (Citation: FireEye POSHSPY April 2017)\n\nAliases: POSHSPY",
"value": "POSHSPY - S0150",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0150",
"https://www.fireeye.com/blog/threat-research/2017/03/dissecting%20one%20ofap.html"
],
"external_id": "S0150",
"synonyms": [
"POSHSPY"
]
},
"uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808"
},
{
"description": "is a backdoor used by PLATINUM that is similar to Dipsind. (Citation: Microsoft PLATINUM April 2016)\n\nAliases: adbupd\n\nContributors: Ryan Becwar",
"value": "adbupd - S0202",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0202"
],
"external_id": "S0202",
"synonyms": [
"adbupd"
]
},
"uuid": "0f1ad2ef-41d4-4b7a-9304-ddae68ea3005"
},
{
"description": "Felismus is a modular backdoor that has been used by Sowbug. (Citation: Symantec Sowbug Nov 2017) (Citation: Forcepoint Felismus Mar 2017)\n\nAliases: Felismus",
"value": "Felismus - S0171",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0171",
"https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments",
"https://blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware"
],
"external_id": "S0171",
"synonyms": [
"Felismus"
]
},
"uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1"
},
{
"description": "Truvasys is first-stage malware that has been used by PROMETHIUM. It is a collection of modules written in the Delphi programming language. (Citation: Microsoft Win Defender Truvasys Sep 2017) (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)\n\nAliases: Truvasys",
"value": "Truvasys - S0178",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0178",
"https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Truvasys.A!dha",
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
"http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft%20Security%20Intelligence%20Report%20Volume%2021%20English.pdf"
],
"external_id": "S0178",
"synonyms": [
"Truvasys"
]
},
"uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad"
},
{
"description": "Winnti is a Trojan that has been used by multiple groups to carry out intrusions in varied regions from at least 2010 to 2016. One of the groups using this malware is referred to by the same name, Winnti Group; however, reporting indicates a second distinct group, Axiom, also uses the malware. (Citation: Kaspersky Winnti April 2013) (Citation: Microsoft Winnti Jan 2017) (Citation: Novetta Winnti April 2015)\n\nAliases: Winnti",
"value": "Winnti - S0141",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0141",
"https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf",
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/",
"http://www.novetta.com/wp-content/uploads/2015/04/novetta%20winntianalysis.pdf"
],
"external_id": "S0141",
"synonyms": [
"Winnti"
]
},
"uuid": "d3afa961-a80c-4043-9509-282cdf69ab21"
},
{
"description": "RTM is custom malware written in Delphi. It is used by the group of the same name (RTM). (Citation: ESET RTM Feb 2017)\n\nAliases: RTM",
"value": "RTM - S0148",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0148",
"https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
],
"external_id": "S0148",
"synonyms": [
"RTM"
]
},
"uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841"
},
{
"description": "CallMe is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell. (Citation: Scarlet Mimic Jan 2016)\n\nAliases: CallMe",
"value": "CallMe - S0077",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0077",
"http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
],
"external_id": "S0077",
"synonyms": [
"CallMe"
]
},
"uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5"
},
{
"description": "HIDEDRV is a rootkit used by APT28. It has been deployed along with Downdelph to execute and hide that malware. (Citation: ESET Sednit Part 3) (Citation: Sekoia HideDRV Oct 2016)\n\nAliases: HIDEDRV",
"value": "HIDEDRV - S0135",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0135",
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf",
"http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf"
],
"external_id": "S0135",
"synonyms": [
"HIDEDRV"
]
},
"uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4"
},
{
"description": "Mis-Type is a backdoor hybrid that was used by Dust Storm in 2012. (Citation: Cylance Dust Storm)\n\nAliases: Mis-Type",
"value": "Mis-Type - S0084",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0084",
"https://www.cylance.com/content/dam/cylance/pdfs/reports/Op%20Dust%20Storm%20Report.pdf"
],
"external_id": "S0084",
"synonyms": [
"Mis-Type"
]
},
"uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61"
},
{
"description": "Hikit is malware that has been used by (Citation: Axiom) for late-stage persistence and exfiltration after the initial compromise. (Citation: Axiom)\n\nAliases: Hikit",
"value": "Hikit - S0009",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0009",
"http://www.novetta.com/wp-content/uploads/2014/11/Executive%20Summary-Final%201.pdf"
],
"external_id": "S0009",
"synonyms": [
"Hikit"
]
},
"uuid": "95047f03-4811-4300-922e-1ba937d53a61"
},
{
"description": "ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. (Citation: Dell TG-3390)\n\nAliases: ASPXSpy, ASPXTool",
"value": "ASPXSpy - S0073",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0073",
"http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/"
],
"external_id": "S0073",
"synonyms": [
"ASPXSpy",
"ASPXTool"
]
},
"uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2"
},
{
"description": "Dipsind is a malware family of backdoors that appear to be used exclusively by PLATINUM. (Citation: Microsoft PLATINUM April 2016)\n\nAliases: Dipsind\n\nContributors: Ryan Becwar",
"value": "Dipsind - S0200",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0200"
],
"external_id": "S0200",
"synonyms": [
"Dipsind"
]
},
"uuid": "e170995d-4f61-4f17-b60e-04f9a06ee517"
},
{
"description": "SEASHARPEE is a Web shell that has been used by APT34. (Citation: FireEye APT34 Webinar Dec 2017)\n\nAliases: SEASHARPEE",
"value": "SEASHARPEE - S0185",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0185",
"https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east"
],
"external_id": "S0185",
"synonyms": [
"SEASHARPEE"
]
},
"uuid": "0998045d-f96e-4284-95ce-3c8219707486"
},
{
"description": "Sykipot is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of Sykipot hijacks smart cards on victims. (Citation: Alienvault Sykipot DOD Smart Cards) The group using this malware has also been referred to as Sykipot. (Citation: Blasco 2013)\n\nAliases: Sykipot",
"value": "Sykipot - S0018",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0018",
"https://www.alienvault.com/open-threat-exchange/blog/sykipot-variant-hijacks-dod-and-windows-smart-cards",
"http://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments"
],
"external_id": "S0018",
"synonyms": [
"Sykipot"
]
},
"uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9"
},
{
"description": "DownPaper is a backdoor Trojan; its main functionality is to download and run second stage malware. (Citation: ClearSky Charming Kitten Dec 2017)\n\nAliases: DownPaper",
"value": "DownPaper - S0186",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0186",
"http://www.clearskysec.com/wp-content/uploads/2017/12/Charming%20Kitten%202017.pdf"
],
"external_id": "S0186",
"synonyms": [
"DownPaper"
]
},
"uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148"
},
{
"description": "OSInfo is a custom tool used by APT3 to do internal discovery on a victim's computer and network. (Citation: Symantec Buckeye)\n\nAliases: OSInfo",
"value": "OSInfo - S0165",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0165",
"http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong"
],
"external_id": "S0165",
"synonyms": [
"OSInfo"
]
},
"uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8"
},
{
"description": "HOMEFRY is a 64-bit Windows password dumper/cracker that has previously been used in conjunction with other Leviathan backdoors. (Citation: FireEye Periscope March 2018)\n\nAliases: HOMEFRY",
"value": "HOMEFRY - S0232",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0232",
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"
],
"external_id": "S0232",
"synonyms": [
"HOMEFRY"
]
},
"uuid": "7451bcf9-e6e6-4a70-bc3d-1599173d0035"
},
{
"description": "GLOOXMAIL is malware used by APT1 that mimics legitimate Jabber/XMPP traffic. (Citation: Mandiant APT1)\n\nAliases: GLOOXMAIL, Trojan.GTALK",
"value": "GLOOXMAIL - S0026",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0026",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"external_id": "S0026",
"synonyms": [
"GLOOXMAIL",
"Trojan.GTALK"
]
},
"uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2"
},
{
"description": "Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio. (Citation: Lotus Blossom Dec 2015)\n\nAliases: Emissary",
"value": "Emissary - S0082",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0082",
"http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/"
],
"external_id": "S0082",
"synonyms": [
"Emissary"
]
},
"uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1"
},
{
"description": "PUNCHTRACK is non-persistent point of sale (POS) system malware utilized by FIN8 to scrape payment card data. (Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)\n\nAliases: PUNCHTRACK, PSVC",
"value": "PUNCHTRACK - S0197",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0197",
"https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html",
"https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html"
],
"external_id": "S0197",
"synonyms": [
"PUNCHTRACK",
"PSVC"
]
},
"uuid": "c4de7d83-e875-4c88-8b5d-06c41e5b7e79"
},
{
"description": "Miner-C is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread. (Citation: Softpedia MinerC)\n\nAliases: Miner-C, Mal/Miner-C, PhotoMiner",
"value": "Miner-C - S0133",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0133",
"http://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml"
],
"external_id": "S0133",
"synonyms": [
"Miner-C",
"Mal/Miner-C",
"PhotoMiner"
]
},
"uuid": "17dec760-9c8f-4f1b-9b4b-0ac47a453234"
},
{
"description": " (Citation: DustySky) is multi-stage malware written in .NET that has been used by Molerats since May 2015. (Citation: DustySky) (Citation: DustySky)2\n\nAliases: (Citation: DustySky), NeD Worm",
"value": "DustySky - S0062",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0062"
],
"external_id": "S0062",
"synonyms": [
"DustySky",
"NeD Worm"
]
},
"uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54"
},
{
"description": "BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. (Citation: FireEye admin@338)\n\nAliases: BUBBLEWRAP, Backdoor.APT.FakeWinHTTPHelper",
"value": "BUBBLEWRAP - S0043",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0043",
"https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html"
],
"external_id": "S0043",
"synonyms": [
"BUBBLEWRAP",
"Backdoor.APT.FakeWinHTTPHelper"
]
},
"uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b"
},
{
"description": "pngdowner is malware used by Putter Panda. It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple \"download-and-\nexecute\" utility. (Citation: CrowdStrike Putter Panda)\n\nAliases: pngdowner",
"value": "pngdowner - S0067",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0067",
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"
],
"external_id": "S0067",
"synonyms": [
"pngdowner"
]
},
"uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d"
},
{
"description": "SslMM is a full-featured backdoor used by Naikon that has multiple variants. (Citation: Baumgartner Naikon 2015)\n\nAliases: SslMM",
"value": "SslMM - S0058",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0058",
"https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf"
],
"external_id": "S0058",
"synonyms": [
"SslMM"
]
},
"uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421"
},
{
"description": "Nidiran is a custom backdoor developed and used by Suckfly. It has been delivered via strategic web compromise. (Citation: Symantec Suckfly March 2016)\n\nAliases: Nidiran, Backdoor.Nidiran",
"value": "Nidiran - S0118",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0118",
"http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates"
],
"external_id": "S0118",
"synonyms": [
"Nidiran",
"Backdoor.Nidiran"
]
},
"uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe"
},
{
"description": "Trojan.Mebromi is BIOS-level malware that takes control of the victim before MBR. (Citation: Ge 2011)\n\nAliases: Trojan.Mebromi",
"value": "Trojan.Mebromi - S0001",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0001",
"http://www.symantec.com/connect/blogs/bios-threat-showing-again"
],
"external_id": "S0001",
"synonyms": [
"Trojan.Mebromi"
]
},
"uuid": "c5e9cb46-aced-466c-85ea-7db5572ad9ec"
},
{
"description": "is a backdoor typically used by APT37 as first-stage malware. (Citation: FireEye APT37 Feb 2018)\n\nAliases: KARAE",
"value": "KARAE - S0215",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0215",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt%20APT37.pdf"
],
"external_id": "S0215",
"synonyms": [
"KARAE"
]
},
"uuid": "3c02fb1f-cbdb-48f5-abaf-8c81d6e0c322"
},
{
"description": "OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by Threat Group-3390. (Citation: Dell TG-3390)\n\nAliases: OwaAuth",
"value": "OwaAuth - S0072",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0072",
"http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/"
],
"external_id": "S0072",
"synonyms": [
"OwaAuth"
]
},
"uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5"
},
{
"description": "ROCKBOOT is a Bootkit that has been used by an unidentified, suspected China-based group. (Citation: FireEye Bootkits)\n\nAliases: ROCKBOOT",
"value": "ROCKBOOT - S0112",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0112",
"https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html"
],
"external_id": "S0112",
"synonyms": [
"ROCKBOOT"
]
},
"uuid": "cba78a1c-186f-4112-9e6a-be1839f030f7"
},
{
"description": "MURKYTOP is a reconnaissance tool used by Leviathan. (Citation: FireEye Periscope March 2018)\n\nAliases: MURKYTOP",
"value": "MURKYTOP - S0233",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0233",
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"
],
"external_id": "S0233",
"synonyms": [
"MURKYTOP"
]
},
"uuid": "049ff071-0b3c-4712-95d2-d21c6aa54501"
},
{
"description": "OnionDuke is malware that was used by APT29 from 2013 to 2015. (Citation: F-Secure The Dukes)\n\nAliases: OnionDuke",
"value": "OnionDuke - S0052",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0052",
"https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf"
],
"external_id": "S0052",
"synonyms": [
"OnionDuke"
]
},
"uuid": "b136d088-a829-432c-ac26-5529c26d4c7e"
},
{
"description": "JPIN is a custom-built backdoor family used by PLATINUM. Evidence suggests developers of JPIN and Dipsind code bases were related in some way. (Citation: Microsoft PLATINUM April 2016)\n\nAliases: JPIN\n\nContributors: Ryan Becwar",
"value": "JPIN - S0201",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0201"
],
"external_id": "S0201",
"synonyms": [
"JPIN"
]
},
"uuid": "de6cb631-52f6-4169-a73b-7965390b0c30"
},
{
"description": "LOWBALL is malware used by admin@338. It was used in August 2015 in email messages targeting Hong Kong-based media organizations. (Citation: FireEye admin@338)\n\nAliases: LOWBALL",
"value": "LOWBALL - S0042",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0042",
"https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html"
],
"external_id": "S0042",
"synonyms": [
"LOWBALL"
]
},
"uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b"
},
{
"description": "is a trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Wiarp May 2012)\n\nAliases: Wiarp",
"value": "Wiarp - S0206",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0206",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/the-elderwood-project.pdf",
"https://www.symantec.com/security%20response/writeup.jsp?docid=2012-051606-1005-99"
],
"external_id": "S0206",
"synonyms": [
"Wiarp"
]
},
"uuid": "039814a0-88de-46c5-a4fb-b293db21880a"
},
{
"description": "BLACKCOFFEE is malware that has been used by several Chinese groups since at least 2013. (Citation: FireEye APT17) (Citation: FireEye Periscope March 2018)\n\nAliases: BLACKCOFFEE",
"value": "BLACKCOFFEE - S0069",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0069",
"https://www2.fireeye.com/rs/fireye/images/APT17%20Report.pdf",
"https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"
],
"external_id": "S0069",
"synonyms": [
"BLACKCOFFEE"
]
},
"uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43"
},
{
"description": "Derusbi is malware used by multiple Chinese APT groups. (Citation: Axiom) (Citation: ThreatConnect Anthem) Both Windows and Linux variants have been observed. (Citation: Fidelis Turbo)\n\nAliases: Derusbi, PHOTO",
"value": "Derusbi - S0021",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0021",
"http://www.novetta.com/wp-content/uploads/2014/11/Executive%20Summary-Final%201.pdf",
"https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/",
"https://www.fidelissecurity.com/sites/default/files/TA%20Fidelis%20Turbo%201602%200.pdf"
],
"external_id": "S0021",
"synonyms": [
"Derusbi",
"PHOTO"
]
},
"uuid": "94379dec-5c87-49db-b36e-66abc0b81344"
},
{
"description": "RawPOS is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008. (Citation: Kroll RawPOS Jan 2017) (Citation: TrendMicro RawPOS April 2015) (Citation: Visa RawPOS March 2015) FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD. (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)\n\nAliases: RawPOS, FIENDCRY, DUEBREW, DRIFTWOOD\n\nContributors: Walker Johnson",
"value": "RawPOS - S0169",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0169",
"https://usa.visa.com/dam/VCOM/download/merchants/alert-rawpos.pdf",
"https://www.youtube.com/watch?v=fevGZs0EQu8",
"https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?"
],
"external_id": "S0169",
"synonyms": [
"RawPOS",
"FIENDCRY",
"DUEBREW",
"DRIFTWOOD"
]
},
"uuid": "9752aef4-a1f3-4328-929f-b64eb0536090"
},
{
"description": "Epic is a backdoor that has been used by Turla. (Citation: Kaspersky Turla)\n\nAliases: Epic, Tavdig, Wipbot, WorldCupSec, TadjMakhal",
"value": "Epic - S0091",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0091",
"https://securelist.com/the-epic-turla-operation/65545/"
],
"external_id": "S0091",
"synonyms": [
"Epic",
"Tavdig",
"Wipbot",
"WorldCupSec",
"TadjMakhal"
]
},
"uuid": "6b62e336-176f-417b-856a-8552dd8c44e1"
},
{
"description": "Lurid is a malware family that has been used by several groups, including PittyTiger, in targeted attacks as far back as 2006. (Citation: Villeneuve 2014) (Citation: Villeneuve 2011)\n\nAliases: Lurid, Enfal",
"value": "Lurid - S0010",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0010",
"https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html",
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp%20dissecting-lurid-apt.pdf"
],
"external_id": "S0010",
"synonyms": [
"Lurid",
"Enfal"
]
},
"uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad"
},
{
"description": "3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda. (Citation: CrowdStrike Putter Panda)\n\nAliases: 3PARA RAT",
"value": "3PARA RAT - S0066",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0066",
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"
],
"external_id": "S0066",
"synonyms": [
"3PARA RAT"
]
},
"uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a"
},
{
"description": "JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance malware. (Citation: Kaspersky Sofacy) (Citation: F-Secure Sofacy 2015) (Citation: ESET Sednit Part 1) (Citation: FireEye APT28 January 2017)\n\nAliases: JHUHUGIT, Seduploader, JKEYSKW, Sednit, GAMEFISH, SofacyCarberp",
"value": "JHUHUGIT - S0044",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0044",
"https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/",
"https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/",
"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf",
"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
],
"external_id": "S0044",
"synonyms": [
"JHUHUGIT",
"Seduploader",
"JKEYSKW",
"Sednit",
"GAMEFISH",
"SofacyCarberp"
]
},
"uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2"
},
{
"description": "ELMER is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by APT16. (Citation: FireEye EPS Awakens Part 2)\n\nAliases: ELMER",
"value": "ELMER - S0064",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0064",
"https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html"
],
"external_id": "S0064",
"synonyms": [
"ELMER"
]
},
"uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c"
}
]
}