From bd050668ef008444944af1718e20337fa809b390 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Thu, 27 Apr 2023 09:53:49 +0200 Subject: [PATCH] add VEILEDSIGNALand more --- clusters/backdoor.json | 22 +++++++++++++++++- clusters/tool.json | 52 +++++++++++++++++++++++++++++++++++++++++- 2 files changed, 72 insertions(+), 2 deletions(-) diff --git a/clusters/backdoor.json b/clusters/backdoor.json index 7db5f33..5a313ee 100644 --- a/clusters/backdoor.json +++ b/clusters/backdoor.json @@ -214,7 +214,27 @@ }, "uuid": "c866b002-1cb6-4c91-8a8b-f0b0c6ac2b1a", "value": "PowerMagic" + }, + { + "description": "VEILEDSIGNAL is a backdoor written in C that is able to execute shellcode and terminate itself. Additionally, VEILEDSIGNAL relies on additional modules that connect via Windows named pipes to interact with the Command and Control(C2) infrastructure.", + "meta": { + "refs": [ + "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise" + ] + }, + "uuid": "f482f9bb-ced1-4a2f-90cd-07df7163b44f", + "value": "VEILEDSIGNAL" + }, + { + "description": "POOLRAT is a C/C++ macOS backdoor capable of collecting basic system information and executing commands. The commands performed include running arbitrary commands, secure deleting files, reading and writing files, updating the configuration.", + "meta": { + "refs": [ + "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise" + ] + }, + "uuid": "617009c2-e6bc-4881-8f46-b9b4a68f4c04", + "value": "POOLRAT" } ], - "version": 15 + "version": 16 } diff --git a/clusters/tool.json b/clusters/tool.json index 3525ebe..ccb4748 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -10030,7 +10030,57 @@ ], "uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b", "value": "QUARTERRIG" + }, + { + "description": "ICONICSTEALER is a C/C++ data miner that collects application configuration data as well as browser history.", + "meta": { + "refs": [ + "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise" + ] + }, + "uuid": "1dca0cec-920e-47d4-a848-ed417f4012e8", + "value": "ICONICSTEALER" + }, + { + "description": "DAVESHELL is shellcode that functions as an in-memory dropper. Its embedded payload is mapped into memory and executed.", + "meta": { + "refs": [ + "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise" + ] + }, + "uuid": "0ca56007-de60-41b6-99a6-3b7d9dd737d4", + "value": "DAVESHELL" + }, + { + "description": "SigFlip is a tool for patching authenticode signed PE-COFF files to inject arbitrary code without affecting or breaking the file's signature.", + "meta": { + "refs": [ + "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise" + ] + }, + "uuid": "832f7b8c-b733-48b5-a186-7482b09fe5be", + "value": "SIGFLIP" + }, + { + "description": "COLDCAT is a complex downloader. COLDCAT generates unique host identifier information, and beacons it to a C2 that is specified in a separate file via POST request with the data in the cookie header. After a brief handshake, the malware expects base64 encoded shellcode to execute in response.", + "meta": { + "refs": [ + "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise" + ] + }, + "uuid": "62530fb1-fbce-4b39-91d3-bedc0c37d0fe", + "value": "COLDCAT" + }, + { + "description": "TAXHAUL is a DLL that, when executed, decrypts a shellcode payload expected at C:\\Windows\\System32\\config\\TxR\\.TXR.0.regtrans-ms. Mandiant has seen TAXHAUL persist via DLL side loading.", + "meta": { + "refs": [ + "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise" + ] + }, + "uuid": "90ced040-3507-4b81-9e6d-131acde085ab", + "value": "TAXHAUL" } ], - "version": 165 + "version": 166 }