add VEILEDSIGNALand more

2023-04-27 09:53:49 +02:00 · 2023-04-27 09:53:49 +02:00 · bd050668ef
parent 79b80b0869
commit bd050668ef
2 changed files with 72 additions and 2 deletions
--- a/clusters/backdoor.json
+++ b/clusters/backdoor.json
@ -214,7 +214,27 @@
      },
      "uuid": "c866b002-1cb6-4c91-8a8b-f0b0c6ac2b1a",
      "value": "PowerMagic"
+    },
+    {
+      "description": "VEILEDSIGNAL is a backdoor written in C that is able to execute shellcode and terminate itself. Additionally, VEILEDSIGNAL relies on additional modules that connect via Windows named pipes to interact with the Command and Control(C2) infrastructure.",
+      "meta": {
+        "refs": [
+          "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
+        ]
+      },
+      "uuid": "f482f9bb-ced1-4a2f-90cd-07df7163b44f",
+      "value": "VEILEDSIGNAL"
+    },
+    {
+      "description": "POOLRAT is a C/C++ macOS backdoor capable of collecting basic system information and executing commands. The commands performed include running arbitrary commands, secure deleting files, reading and writing files, updating the configuration.",
+      "meta": {
+        "refs": [
+          "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
+        ]
+      },
+      "uuid": "617009c2-e6bc-4881-8f46-b9b4a68f4c04",
+      "value": "POOLRAT"
    }
  ],
-  "version": 15
+  "version": 16
 }
--- a/clusters/tool.json
+++ b/clusters/tool.json
@ -10030,7 +10030,57 @@
      ],
      "uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b",
      "value": "QUARTERRIG"
+    },
+    {
+      "description": "ICONICSTEALER is a C/C++ data miner that collects application configuration data as well as browser history.",
+      "meta": {
+        "refs": [
+          "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
+        ]
+      },
+      "uuid": "1dca0cec-920e-47d4-a848-ed417f4012e8",
+      "value": "ICONICSTEALER"
+    },
+    {
+      "description": "DAVESHELL is shellcode that functions as an in-memory dropper. Its embedded payload is mapped into memory and executed.",
+      "meta": {
+        "refs": [
+          "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
+        ]
+      },
+      "uuid": "0ca56007-de60-41b6-99a6-3b7d9dd737d4",
+      "value": "DAVESHELL"
+    },
+    {
+      "description": "SigFlip is a tool for patching authenticode signed PE-COFF files to inject arbitrary code without affecting or breaking the file's signature.",
+      "meta": {
+        "refs": [
+          "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
+        ]
+      },
+      "uuid": "832f7b8c-b733-48b5-a186-7482b09fe5be",
+      "value": "SIGFLIP"
+    },
+    {
+      "description": "COLDCAT is a complex downloader. COLDCAT generates unique host identifier information, and beacons it to a C2 that is specified in a separate file via POST request with the data in the cookie header. After a brief handshake, the malware expects base64 encoded shellcode to execute in response.",
+      "meta": {
+        "refs": [
+          "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
+        ]
+      },
+      "uuid": "62530fb1-fbce-4b39-91d3-bedc0c37d0fe",
+      "value": "COLDCAT"
+    },
+    {
+      "description": "TAXHAUL is a DLL that, when executed, decrypts a shellcode payload expected at C:\\Windows\\System32\\config\\TxR\\<machine hardware profile GUID>.TXR.0.regtrans-ms. Mandiant has seen TAXHAUL persist via DLL side loading.",
+      "meta": {
+        "refs": [
+          "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
+        ]
+      },
+      "uuid": "90ced040-3507-4b81-9e6d-131acde085ab",
+      "value": "TAXHAUL"
    }
  ],
-  "version": 165
+  "version": 166
 }